zeromq: Denial-of-Service on CURVE/ZAP-protected servers (CVE-2020-15166)

If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them.

Affected Versions: zeromq <= 4.3.2

Fixed In Version: zeromq 4.3.3

References:

https://www.openwall.com/lists/oss-security/2020/09/07/3
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

Affected branches:

Edited Sep 08, 2020 by Leo

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information