Subject: [ASA-202009-16] zeromq: denial of service Arch Linux Security Advisory ASA-202009-16 ========================================== Severity: High Date : 2020-09-26 CVE-ID : CVE-2020-15166 Package : zeromq Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1219 Summary ======= The package zeromq before version 4.3.3-1 is vulnerable to denial of service. Resolution ========== Upgrade to 4.3.3-1. # pacman -Syu "zeromq>=4.3.3-1" The problem has been fixed upstream in version 4.3.3. Workaround ========== None. Description =========== A denial of service has been found in libzmq before 4.3.3, allowing unauthenticated clients to prevent legitimate clients from exchange any message with a CURVE/ZAP-protected server. Impact ====== A remote attacker might be able to cause a denial of service through a malicious connection. References ========== https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m https://github.com/zeromq/libzmq/pull/3913/commits/e7f0090b161ce6344f6bd35009816a925c070b09 https://oss-fuzz.com/testcase-detail/5707174518194176 https://security.archlinux.org/CVE-2020-15166