PublicDateAtUSN: 2019-07-08 16:00:00 UTC
Candidate: CVE-2019-13132
CRD: 2019-07-08 16:00:00 UTC
PublicDate: 2019-07-10 19:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13132
 https://ubuntu.com/security/notices/USN-4050-1
Description:
 In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2,
 a remote, unauthenticated client connecting to a libzmq application,
 running with a socket listening with CURVE encryption/authentication
 enabled, may cause a stack overflow and overwrite the stack with arbitrary
 data, due to a buffer overflow in the library. Users running public servers
 with the above configuration are highly encouraged to upgrade as soon as
 possible, as there are no known mitigations.
Ubuntu-Description: 
 It was discovered that ZeroMQ incorrectly handled certain application metadata.
 A remote attacker could use this issue to cause ZeroMQ to crash, or possibly
 execute arbitrary code.
Notes: 
Bugs: 
 https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1835213
Priority: high
Discovered-by:
Assigned-to: 
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_zeromq3:
upstream_zeromq3: pending (4.3.2,4.1.7,4.0.9)
precise/esm_zeromq3: DNE
trusty_zeromq3: ignored (out of standard support)
trusty/esm_zeromq3: needed
xenial_zeromq3: released (4.1.4-7ubuntu0.1)
bionic_zeromq3: released (4.2.5-1ubuntu0.2)
cosmic_zeromq3: released (4.2.5-2ubuntu0.2)
disco_zeromq3: released (4.3.1-3ubuntu2.1)
eoan_zeromq3: released (4.3.1-3ubuntu2.1)
focal_zeromq3: released (4.3.1-3ubuntu2.1)
groovy_zeromq3: released (4.3.1-3ubuntu2.1)
hirsute_zeromq3: released (4.3.1-3ubuntu2.1)
impish_zeromq3: released (4.3.1-3ubuntu2.1)
jammy_zeromq3: released (4.3.1-3ubuntu2.1)
devel_zeromq3: released (4.3.1-3ubuntu2.1)