Your submission was sent successfully! Close

CVE-2019-13132

Published: 08 July 2019

In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.

From the Ubuntu security team

It was discovered that ZeroMQ incorrectly handled certain application metadata. A remote attacker could use this issue to cause ZeroMQ to crash, or possibly execute arbitrary code.

Priority

High

CVSS 3 base score: 9.8

Status

Package Release Status
zeromq3
Launchpad, Ubuntu, Debian
Upstream Pending
(4.3.2,4.1.7,4.0.9)
Ubuntu 21.10 (Impish Indri)
Released (4.3.1-3ubuntu2.1)
Ubuntu 21.04 (Hirsute Hippo)
Released (4.3.1-3ubuntu2.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (4.3.1-3ubuntu2.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.2.5-1ubuntu0.2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.1.4-7ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr) Needed