Candidate: CVE-2020-15166
PublicDate: 2020-09-11 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15166
 https://www.openwall.com/lists/oss-security/2020/09/07/3
 https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
 https://github.com/zeromq/libzmq/commit/e7f0090b161ce6344f6bd35009816a925c070b09
Description:
 In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability.
 Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are
 impacted. If a raw TCP socket is opened and connected to an endpoint that
 is fully configured with CURVE/ZAP, legitimate clients will not be able to
 exchange any message. Handshakes complete successfully, and messages are
 delivered to the library, but the server application never receives them.
 This is patched in version 4.3.3.
Ubuntu-Description:
 It was discovered that ZeroMQ mishandled certain network traffic. An
 unauthenticated attacker could use this vulnerability to cause a
 denial-of-service and prevent legitimate clients from communicating with
 ZeroMQ.
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_zeromq3:
upstream_zeromq3: released (4.3.3-1)
precise/esm_zeromq3: DNE
trusty_zeromq3: ignored (out of standard support)
trusty/esm_zeromq3: needed
xenial_zeromq3: ignored (end of standard support, was needed)
bionic_zeromq3: needed
focal_zeromq3: needed
groovy_zeromq3: ignored (reached end-of-life)
hirsute_zeromq3: not-affected (4.3.3-4ubuntu1)
impish_zeromq3: not-affected (4.3.3-4ubuntu1)
jammy_zeromq3: not-affected (4.3.3-4ubuntu1)
devel_zeromq3: not-affected (4.3.3-4ubuntu1)