[Buildroot] [PATCH 1/1] zeromq: bump to version 4.3.1
Peter Korsgaard
peter at korsgaard.com
Tue Jan 15 13:14:03 UTC 2019
>>>>> "Asaf" == Asaf Kahlon <asafka7 at gmail.com> writes:
> Remove the patches as they're already on upstream.
> As a consequence, no need to autoreconf anymore.
> Also added license hashes.
> Signed-off-by: Asaf Kahlon <asafka7 at gmail.com>
Looking at https://github.com/zeromq/libzmq/releases, I see that this
release also fixes security issues:
CVE-2019-6250: A vulnerability has been found that would allow attackers to direct a peer to
jump to and execute from an address indicated by the attacker.
This issue has been present since v4.2.0. Older releases are not affected.
NOTE: The attacker needs to know in advance valid addresses in the peer's
memory to jump to, so measures like ASLR are effective mitigations.
NOTE: this attack can only take place after authentication, so peers behind
CURVE/GSSAPI are not vulnerable to unauthenticated attackers.
See #3351 for more details.
Once more, please mark version bumps that fix security vulnerabilities
as such so I don't miss them when backporting to the stable/LTS
branches.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list