In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2,
a remote, unauthenticated client connecting to a libzmq application,
running with a socket listening with CURVE encryption/authentication
enabled, may cause a stack overflow and overwrite the stack with arbitrary
data, due to a buffer overflow in the library. Users running public servers
with the above configuration are highly encouraged to upgrade as soon as
possible, as there are no known mitigations.
It was discovered that ZeroMQ incorrectly handled certain application metadata.
A remote attacker could use this issue to cause ZeroMQ to crash, or possibly
execute arbitrary code.
Upstream:pending (4.3.2,4.1.7,4.0.9)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):released (4.1.4-7ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (4.2.5-1ubuntu0.2)
Ubuntu 19.04 (Disco Dingo):released (4.3.1-3ubuntu2.1)
Ubuntu 19.10 (Eoan):needed
More Information

Updated: 2019-08-16 15:14:23 UTC (commit 5361c67d07aa5974ee5576195f5ae50712d72c5c)