A vulnerability in ZeroMQ could lead to a Denial of Service condition.
|Package||net-libs/zeromq on all architectures|
|Affected versions||< 4.3.3|
|Unaffected versions||>= 4.3.3|
Looks like an embeddable networking library but acts like a concurrency framework.
It was discovered that ZeroMQ does not properly handle connecting peers before a handshake is completed.
An unauthenticated remote attacker able to connect to a ZeroMQ endpoint, even with CURVE encryption/authentication enabled, can cause a Denial of Service condition.
There is no known workaround at this time.
All ZeroMQ users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/zeromq-4.3.3"
September 13, 2020
September 13, 2020: 1