Debian Bug report logs -
#784366
zeromq3: CVE-2014-9721: V3 protocol handler vulnerable to downgrade attacks
Reported by: John Morris <john@zultron.com>
Date: Tue, 5 May 2015 20:03:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version 4.0.5+dfsg-2
Fixed in versions zeromq3/4.0.5+dfsg-3, 4.0.5+dfsg-2+deb8u1
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, john@zultron.com, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#784366; Package zeromq3.
(Tue, 05 May 2015 20:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to John Morris <john@zultron.com>:
New Bug report received and forwarded. Copy sent to john@zultron.com, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 05 May 2015 20:03:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: zeromq3
Severity: grave
A security bug in 4.0.5 [1] allows attackers to bypass security:
> It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by
> sending a ZMTP v2 or earlier header. The library accepts such
> connections without applying its security mechanism.
>
> Solution: if security is defined on a socket, reject all V2 and earlier
> connections, unconditionally.
>
> Fixed by #6cf120 and related commits.
[1]: https://github.com/zeromq/libzmq/issues/1273
[zeromq3-deb-protocol-downgrade-attack.patch (text/x-diff, inline)]
commit 5425f379caedaf6d19f418d2042e3a5938c9fb07
Author: John Morris <john@zultron.com>
Date: Tue May 5 14:31:19 2015 -0500
4.0.5-2: Back-port 'protocol downgrade attack' security fix
See
https://github.com/zeromq/zeromq4-x/pull/101
and
https://github.com/zeromq/libzmq/issues/1273
diff --git a/changelog b/changelog
index e6eb711..a0c256b 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,10 @@
+zeromq3 (4.0.5-2) unstable; urgency=low
+
+ * Back-port 'protocol downgrade attack' security fix
+ - https://github.com/zeromq/zeromq4-x/pull/101
+
+ -- John Morris <john@zultron.com> Tue, 05 May 2015 13:57:49 -0500
+
zeromq3 (4.0.5+dfsg-2) unstable; urgency=medium
* Don't use test_security_curve to prevent FTBFS.
diff --git a/patches/protocol-downgrade-attack.patch b/patches/protocol-downgrade-attack.patch
new file mode 100644
index 0000000..cffca66
--- /dev/null
+++ b/patches/protocol-downgrade-attack.patch
@@ -0,0 +1,434 @@
+- See https://github.com/zeromq/zeromq4-x/pull/101
+- Almost unchanged from https://github.com/zeromq/zeromq4-x/commit/77ef79e3
+ - John Morris <john@zultron.com>
+
+
+From 77ef79e3b565f120172c6d1c30fabec6185553da Mon Sep 17 00:00:00 2001
+From: Pieter Hintjens <ph@imatix.com>
+Date: Fri, 5 Dec 2014 09:07:37 +0100
+Subject: [PATCH] Problem: issue #1273, protocol downgrade attack
+
+Solution: backport fix from libzmq master. Also backported test
+cases.
+---
+ src/session_base.cpp | 8 +++
+ src/session_base.hpp | 3 +-
+ src/stream_engine.cpp | 15 ++++++
+ tests/test_security_curve.cpp | 66 ++++++++++++++++++++---
+ tests/test_security_null.cpp | 121 ++++++++++++++++++++++++++----------------
+ tests/test_security_plain.cpp | 37 ++++++++++++-
+ 7 files changed, 197 insertions(+), 57 deletions(-)
+
+diff --git a/src/session_base.cpp b/src/session_base.cpp
+index 537dcb3..0b58436 100644
+--- a/src/session_base.cpp
++++ b/src/session_base.cpp
+@@ -323,6 +323,14 @@ int zmq::session_base_t::zap_connect ()
+ return 0;
+ }
+
++bool zmq::session_base_t::zap_enabled ()
++{
++ return (
++ options.mechanism != ZMQ_NULL ||
++ (options.mechanism == ZMQ_NULL && options.zap_domain.length() > 0)
++ );
++}
++
+ void zmq::session_base_t::process_attach (i_engine *engine_)
+ {
+ zmq_assert (engine_ != NULL);
+diff --git a/src/session_base.hpp b/src/session_base.hpp
+index 2ef7dc5..63e16bd 100644
+--- a/src/session_base.hpp
++++ b/src/session_base.hpp
+@@ -68,7 +68,8 @@ namespace zmq
+ int push_msg (msg_t *msg_);
+
+ int zap_connect ();
+-
++ bool zap_enabled ();
++
+ // Fetches a message. Returns 0 if successful; -1 otherwise.
+ // The caller is responsible for freeing the message when no
+ // longer used.
+diff --git a/src/stream_engine.cpp b/src/stream_engine.cpp
+index 4d252d8..3d84d8f 100644
+--- a/src/stream_engine.cpp
++++ b/src/stream_engine.cpp
+@@ -464,6 +464,11 @@ bool zmq::stream_engine_t::handshake ()
+ // Is the peer using ZMTP/1.0 with no revision number?
+ // If so, we send and receive rest of identity message
+ if (greeting_recv [0] != 0xff || !(greeting_recv [9] & 0x01)) {
++ if (session->zap_enabled ()) {
++ // Reject ZMTP 1.0 connections if ZAP is enabled
++ error ();
++ return false;
++ }
+ encoder = new (std::nothrow) v1_encoder_t (out_batch_size);
+ alloc_assert (encoder);
+
+@@ -505,6 +510,11 @@ bool zmq::stream_engine_t::handshake ()
+ }
+ else
+ if (greeting_recv [revision_pos] == ZMTP_1_0) {
++ if (session->zap_enabled ()) {
++ // Reject ZMTP 1.0 connections if ZAP is enabled
++ error ();
++ return false;
++ }
+ encoder = new (std::nothrow) v1_encoder_t (
+ out_batch_size);
+ alloc_assert (encoder);
+@@ -515,6 +525,11 @@ bool zmq::stream_engine_t::handshake ()
+ }
+ else
+ if (greeting_recv [revision_pos] == ZMTP_2_0) {
++ if (session->zap_enabled ()) {
++ // Reject ZMTP 1.0 connections if ZAP is enabled
++ error ();
++ return false;
++ }
+ encoder = new (std::nothrow) v2_encoder_t (out_batch_size);
+ alloc_assert (encoder);
+
+diff --git a/tests/test_security_curve.cpp b/tests/test_security_curve.cpp
+index a24466f..e99a4b3 100644
+--- a/tests/test_security_curve.cpp
++++ b/tests/test_security_curve.cpp
+@@ -18,12 +18,23 @@
+ */
+
+ #include "testutil.hpp"
++#if defined (ZMQ_HAVE_WINDOWS)
++# include <winsock2.h>
++# include <ws2tcpip.h>
++# include <stdexcept>
++# define close closesocket
++#else
++# include <sys/socket.h>
++# include <netinet/in.h>
++# include <arpa/inet.h>
++# include <unistd.h>
++#endif
+
+ // We'll generate random test keys at startup
+-static char client_public [40];
+-static char client_secret [40];
+-static char server_public [40];
+-static char server_secret [40];
++static char client_public [41];
++static char client_secret [41];
++static char server_public [41];
++static char server_secret [41];
+
+ // --------------------------------------------------------------------------
+ // This methods receives and validates ZAP requestes (allowing or denying
+@@ -46,7 +57,7 @@ static void zap_handler (void *handler)
+ int size = zmq_recv (handler, client_key, 32, 0);
+ assert (size == 32);
+
+- char client_key_text [40];
++ char client_key_text [41];
+ zmq_z85_encode (client_key_text, client_key, 32);
+
+ assert (streq (version, "1.0"));
+@@ -181,8 +192,8 @@ int main (void)
+
+ // Check CURVE security with bogus client credentials
+ // This must be caught by the ZAP handler
+- char bogus_public [40];
+- char bogus_secret [40];
++ char bogus_public [41];
++ char bogus_secret [41];
+ zmq_curve_keypair (bogus_public, bogus_secret);
+
+ client = zmq_socket (ctx, ZMQ_DEALER);
+@@ -217,7 +228,46 @@ int main (void)
+ assert (rc == 0);
+ expect_bounce_fail (server, client);
+ close_zero_linger (client);
+-
++
++ // Unauthenticated messages from a vanilla socket shouldn't be received
++ struct sockaddr_in ip4addr;
++ int s;
++
++ ip4addr.sin_family = AF_INET;
++ ip4addr.sin_port = htons (9998);
++ inet_pton (AF_INET, "127.0.0.1", &ip4addr.sin_addr);
++
++ s = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
++ rc = connect (s, (struct sockaddr*) &ip4addr, sizeof (ip4addr));
++ assert (rc > -1);
++ // send anonymous ZMTP/1.0 greeting
++ send (s, "\x01\x00", 2, 0);
++ // send sneaky message that shouldn't be received
++ send (s, "\x08\x00sneaky\0", 9, 0);
++ int timeout = 150;
++ zmq_setsockopt (server, ZMQ_RCVTIMEO, &timeout, sizeof (timeout));
++ char *buf = s_recv (server);
++ if (buf != NULL) {
++ printf ("Received unauthenticated message: %s\n", buf);
++ assert (buf == NULL);
++ }
++ close (s);
++
++ // Check return codes for invalid buffer sizes
++ client = zmq_socket (ctx, ZMQ_DEALER);
++ assert (client);
++ errno = 0;
++ rc = zmq_setsockopt (client, ZMQ_CURVE_SERVERKEY, server_public, 123);
++ assert (rc == -1 && errno == EINVAL);
++ errno = 0;
++ rc = zmq_setsockopt (client, ZMQ_CURVE_PUBLICKEY, client_public, 123);
++ assert (rc == -1 && errno == EINVAL);
++ errno = 0;
++ rc = zmq_setsockopt (client, ZMQ_CURVE_SECRETKEY, client_secret, 123);
++ assert (rc == -1 && errno == EINVAL);
++ rc = zmq_close (client);
++ assert (rc == 0);
++
+ // Shutdown
+ rc = zmq_close (server);
+ assert (rc == 0);
+diff --git a/tests/test_security_null.cpp b/tests/test_security_null.cpp
+index 8a55632..6b74e8c 100644
+--- a/tests/test_security_null.cpp
++++ b/tests/test_security_null.cpp
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 2007-2013 Contributors as noted in the AUTHORS file
++ Copyright (c) 2007-2014 Contributors as noted in the AUTHORS file
+
+ This file is part of 0MQ.
+
+@@ -18,6 +18,17 @@
+ */
+
+ #include "testutil.hpp"
++#if defined (ZMQ_HAVE_WINDOWS)
++# include <winsock2.h>
++# include <ws2tcpip.h>
++# include <stdexcept>
++# define close closesocket
++#else
++# include <sys/socket.h>
++# include <netinet/in.h>
++# include <arpa/inet.h>
++# include <unistd.h>
++#endif
+
+ static void
+ zap_handler (void *handler)
+@@ -27,6 +38,7 @@ zap_handler (void *handler)
+ char *version = s_recv (handler);
+ if (!version)
+ break; // Terminating
++
+ char *sequence = s_recv (handler);
+ char *domain = s_recv (handler);
+ char *address = s_recv (handler);
+@@ -57,7 +69,7 @@ zap_handler (void *handler)
+ free (identity);
+ free (mechanism);
+ }
+- zmq_close (handler);
++ close_zero_linger (handler);
+ }
+
+ int main (void)
+@@ -76,72 +88,89 @@ int main (void)
+ void *zap_thread = zmq_threadstart (&zap_handler, handler);
+
+ // We bounce between a binding server and a connecting client
++
++ // We first test client/server with no ZAP domain
++ // Libzmq does not call our ZAP handler, the connect must succeed
+ void *server = zmq_socket (ctx, ZMQ_DEALER);
+ assert (server);
+ void *client = zmq_socket (ctx, ZMQ_DEALER);
+ assert (client);
+-
+- // We first test client/server with no ZAP domain
+- // Libzmq does not call our ZAP handler, the connect must succeed
+ rc = zmq_bind (server, "tcp://127.0.0.1:9000");
+ assert (rc == 0);
+- rc = zmq_connect (client, "tcp://localhost:9000");
++ rc = zmq_connect (client, "tcp://127.0.0.1:9000");
+ assert (rc == 0);
+ bounce (server, client);
+- zmq_unbind (server, "tcp://127.0.0.1:9000");
+- zmq_disconnect (client, "tcp://localhost:9000");
+-
++ close_zero_linger (client);
++ close_zero_linger (server);
++
+ // Now define a ZAP domain for the server; this enables
+ // authentication. We're using the wrong domain so this test
+ // must fail.
+- // **************************************************************
+- // PH: the following causes libzmq to get confused, so that the
+- // next step fails. To reproduce, uncomment this block. Note that
+- // even creating a new client/server socket pair, the behaviour
+- // does not change.
+- // **************************************************************
+- // Destroying the old sockets and creating new ones isn't needed,
+- // but it shows that the problem isn't related to specific sockets.
+- //close_zero_linger (client);
+- //close_zero_linger (server);
+- //server = zmq_socket (ctx, ZMQ_DEALER);
+- //assert (server);
+- //client = zmq_socket (ctx, ZMQ_DEALER);
+- //assert (client);
+- //// The above code should not be required
+- //rc = zmq_setsockopt (server, ZMQ_ZAP_DOMAIN, "WRONG", 5);
+- //assert (rc == 0);
+- //rc = zmq_bind (server, "tcp://127.0.0.1:9001");
+- //assert (rc == 0);
+- //rc = zmq_connect (client, "tcp://localhost:9001");
+- //assert (rc == 0);
+- //expect_bounce_fail (server, client);
+- //zmq_unbind (server, "tcp://127.0.0.1:9001");
+- //zmq_disconnect (client, "tcp://localhost:9001");
+-
++ server = zmq_socket (ctx, ZMQ_DEALER);
++ assert (server);
++ client = zmq_socket (ctx, ZMQ_DEALER);
++ assert (client);
++ rc = zmq_setsockopt (server, ZMQ_ZAP_DOMAIN, "WRONG", 5);
++ assert (rc == 0);
++ rc = zmq_bind (server, "tcp://127.0.0.1:9001");
++ assert (rc == 0);
++ rc = zmq_connect (client, "tcp://127.0.0.1:9001");
++ assert (rc == 0);
++ expect_bounce_fail (server, client);
++ close_zero_linger (client);
++ close_zero_linger (server);
++
+ // Now use the right domain, the test must pass
++ server = zmq_socket (ctx, ZMQ_DEALER);
++ assert (server);
++ client = zmq_socket (ctx, ZMQ_DEALER);
++ assert (client);
+ rc = zmq_setsockopt (server, ZMQ_ZAP_DOMAIN, "TEST", 4);
+ assert (rc == 0);
+ rc = zmq_bind (server, "tcp://127.0.0.1:9002");
+ assert (rc == 0);
+- rc = zmq_connect (client, "tcp://localhost:9002");
++ rc = zmq_connect (client, "tcp://127.0.0.1:9002");
+ assert (rc == 0);
+- // **************************************************************
+- // PH: it fails here; though the ZAP reply is 200 OK, and
+- // null_mechanism.cpp correctly parses that, the connection
+- // never succeeds and the test hangs.
+- // **************************************************************
+ bounce (server, client);
+- zmq_unbind (server, "tcp://127.0.0.1:9002");
+- zmq_disconnect (client, "tcp://localhost:9002");
+-
+- // Shutdown
+ close_zero_linger (client);
+ close_zero_linger (server);
+- rc = zmq_ctx_term (ctx);
++
++ // Unauthenticated messages from a vanilla socket shouldn't be received
++ server = zmq_socket (ctx, ZMQ_DEALER);
++ assert (server);
++ rc = zmq_setsockopt (server, ZMQ_ZAP_DOMAIN, "WRONG", 5);
+ assert (rc == 0);
++ rc = zmq_bind (server, "tcp://127.0.0.1:9003");
++ assert (rc == 0);
++
++ struct sockaddr_in ip4addr;
++ int s;
++
++ ip4addr.sin_family = AF_INET;
++ ip4addr.sin_port = htons(9003);
++ inet_pton(AF_INET, "127.0.0.1", &ip4addr.sin_addr);
+
+- // Wait until ZAP handler terminates.
++ s = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
++ rc = connect (s, (struct sockaddr*) &ip4addr, sizeof ip4addr);
++ assert (rc > -1);
++ // send anonymous ZMTP/1.0 greeting
++ send (s, "\x01\x00", 2, 0);
++ // send sneaky message that shouldn't be received
++ send (s, "\x08\x00sneaky\0", 9, 0);
++ int timeout = 150;
++ zmq_setsockopt (server, ZMQ_RCVTIMEO, &timeout, sizeof (timeout));
++ char *buf = s_recv (server);
++ if (buf != NULL) {
++ printf ("Received unauthenticated message: %s\n", buf);
++ assert (buf == NULL);
++ }
++ close (s);
++ close_zero_linger (server);
++
++ // Shutdown
++ rc = zmq_ctx_term (ctx);
++ assert (rc == 0);
++ // Wait until ZAP handler terminates
+ zmq_threadclose (zap_thread);
+
+ return 0;
+diff --git a/tests/test_security_plain.cpp b/tests/test_security_plain.cpp
+index 74973fd..c257840 100644
+--- a/tests/test_security_plain.cpp
++++ b/tests/test_security_plain.cpp
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 2007-2013 Contributors as noted in the AUTHORS file
++ Copyright (c) 2007-2014 Contributors as noted in the AUTHORS file
+
+ This file is part of 0MQ.
+
+@@ -18,6 +18,17 @@
+ */
+
+ #include "testutil.hpp"
++#if defined (ZMQ_HAVE_WINDOWS)
++# include <winsock2.h>
++# include <ws2tcpip.h>
++# include <stdexcept>
++# define close closesocket
++#else
++# include <sys/socket.h>
++# include <netinet/in.h>
++# include <arpa/inet.h>
++# include <unistd.h>
++#endif
+
+ static void
+ zap_handler (void *ctx)
+@@ -137,6 +148,30 @@ int main (void)
+ expect_bounce_fail (server, client);
+ close_zero_linger (client);
+
++ // Unauthenticated messages from a vanilla socket shouldn't be received
++ struct sockaddr_in ip4addr;
++ int s;
++
++ ip4addr.sin_family = AF_INET;
++ ip4addr.sin_port = htons (9998);
++ inet_pton (AF_INET, "127.0.0.1", &ip4addr.sin_addr);
++
++ s = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
++ rc = connect (s, (struct sockaddr*) &ip4addr, sizeof (ip4addr));
++ assert (rc > -1);
++ // send anonymous ZMTP/1.0 greeting
++ send (s, "\x01\x00", 2, 0);
++ // send sneaky message that shouldn't be received
++ send (s, "\x08\x00sneaky\0", 9, 0);
++ int timeout = 150;
++ zmq_setsockopt (server, ZMQ_RCVTIMEO, &timeout, sizeof (timeout));
++ char *buf = s_recv (server);
++ if (buf != NULL) {
++ printf ("Received unauthenticated message: %s\n", buf);
++ assert (buf == NULL);
++ }
++ close (s);
++
+ // Shutdown
+ rc = zmq_close (server);
+ assert (rc == 0);
diff --git a/patches/series b/patches/series
index 8c92f72..12abfb1 100644
--- a/patches/series
+++ b/patches/series
@@ -1,2 +1,3 @@
revert-soname-to-3.patch
+protocol-downgrade-attack.patch
disable-test_security_curve.patch
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Tue, 05 May 2015 22:09:09 GMT) (full text, mbox, link).
Notification sent
to John Morris <john@zultron.com>:
Bug acknowledged by developer.
(Tue, 05 May 2015 22:09:10 GMT) (full text, mbox, link).
Message #10 received at 784366-close@bugs.debian.org (full text, mbox, reply):
Source: zeromq3
Source-Version: 4.0.5+dfsg-3
We believe that the bug you reported is fixed in the latest version of
zeromq3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 784366@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated zeromq3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 05 May 2015 21:06:02 +0000
Source: zeromq3
Binary: libzmq3 libzmq3-dev libzmq3-dbg
Architecture: source amd64
Version: 4.0.5+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
libzmq3 - lightweight messaging kernel (shared library)
libzmq3-dbg - lightweight messaging kernel (debugging symbols)
libzmq3-dev - lightweight messaging kernel (development files)
Closes: 784366
Changes:
zeromq3 (4.0.5+dfsg-3) unstable; urgency=high
.
* V3 protocol handler vulnerable to downgrade attacks, use upstream
backported fix for this issue (closes: #784366).
Checksums-Sha1:
1e9c6631b35209d52cb261e5c59138cb4de8d337 2015 zeromq3_4.0.5+dfsg-3.dsc
e00eed0a4d183c1292208a164d821430e5f33186 12912 zeromq3_4.0.5+dfsg-3.debian.tar.xz
44acd96c6b4f09a3ae4323b8cdaa16bfb8592d50 436400 libzmq3_4.0.5+dfsg-3_amd64.deb
804318f339b126a7f6b57a04a6d688bc3a828cd8 563892 libzmq3-dev_4.0.5+dfsg-3_amd64.deb
7e68cf53b61fc06e36f5ffcf2a9da302815ae7ba 1447340 libzmq3-dbg_4.0.5+dfsg-3_amd64.deb
Checksums-Sha256:
6bfcb86ca0ba15d6f171c89726568d5108800c0abf767ff1fe43f9ecf147b934 2015 zeromq3_4.0.5+dfsg-3.dsc
3b701556d04ccd440d949877d44965fdf69b7435802e48058e0d522963d53f97 12912 zeromq3_4.0.5+dfsg-3.debian.tar.xz
df43981db5a8c2e5736b8b9119781f1fca07a7fb833e352dda83cc5e9077dd6c 436400 libzmq3_4.0.5+dfsg-3_amd64.deb
8a7ae75a9ecae0af47db55003bb1618168f939a4c91b964a322349f32799cc84 563892 libzmq3-dev_4.0.5+dfsg-3_amd64.deb
03d6b4ce39f800a08005ad25a47aa933b051033443c361e1135ac0c4cfeaa19b 1447340 libzmq3-dbg_4.0.5+dfsg-3_amd64.deb
Files:
22847fdfd7f542ddcece71936e3dbdc4 2015 libs optional zeromq3_4.0.5+dfsg-3.dsc
752758e732e7cbfb382906e98a77a3a1 12912 libs optional zeromq3_4.0.5+dfsg-3.debian.tar.xz
964fc154db7fc7f20abdfd36d2adf9e8 436400 libs optional libzmq3_4.0.5+dfsg-3_amd64.deb
6d9a8f2cb8e1fa169a1c66a0ad2b65ad 563892 libdevel optional libzmq3-dev_4.0.5+dfsg-3_amd64.deb
f7b1c48b4b8fb9a4414f550aede1a725 1447340 debug extra libzmq3-dbg_4.0.5+dfsg-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVSTabAAoJENzjEOeGTMi/zOkP/jLsc3+6ZAytHw/iSDccuxTc
Skd4+D3qUTGw/jfxPe+EOWLXyqwlM3uQms5K0cU1fxQOAt0vO2kly5/toVh4yau+
Tz0aFg2JRF86CkT6sE5MxTn/BBUg8s1uMHCsAujX3iTkXfLniPH7AvXUTFnEdLy2
wfcKngXks+L5WoWztgU9m+jBgtuZUbtlz88xbW7hJRCzp2+UU/OMbt0uxPFdKuZi
Kx8xX+xNltNRjO5TkNcAvbx/SVqnDJUJju0mir12l70UoUmKkG0ABOkevsn6dZ8F
BKCl0tJt2lWVAjs+REG3X0SOyFN+QHZ6obG9CprBWLPtqif8KrAUiiAXJl7b+Iu/
npqiywaG+IYId14xTrk3BOSq2hjkp3nWCoCUPwXovy62jZrpNkMofuOpl4K1/4dh
9P2tJPzMkzVn1sI1hAfU60IEOS3wxWylpyaphhYwBKB2pUjRCCgkhaO5Oqnsfo9d
luPuLF9nwfFkWM2N6V/baHJNNZYwFqh02MXdnzvFHQ2vL8hhLLQUIbpG91BG6tuu
of2gQOSZ9m4ORNLeQfcTL19UfuS9efRvFljtUe33S5RZgWbYoPIIbBLsOlBU37Iz
7xFgDPTAdvoOWJbrsE55T2FFNUKEhTTyP2BSol3/TlDPzVrxIImzTLef56NSPhzl
mELktxyvCHsJJPiuRKBa
=EtFk
-----END PGP SIGNATURE-----
Marked as found in versions 4.0.5+dfsg-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 06 May 2015 08:06:04 GMT) (full text, mbox, link).
Added tag(s) upstream, security, and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 06 May 2015 08:06:05 GMT) (full text, mbox, link).
Changed Bug title to 'zeromq3: CVE-2014-9721: V3 protocol handler vulnerable to downgrade attacks' from 'zeromq3: V3 protocol handler vulnerable to downgrade attacks'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 21 May 2015 14:39:15 GMT) (full text, mbox, link).
Marked as fixed in versions 4.0.5+dfsg-2+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 21 May 2015 15:45:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 19 Jun 2015 07:35:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:07:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon