Arch Linux Security Advisory ASA-201410-4 ========================================= Severity: Medium Date : 2014-10-15 CVE-ID : CVE-2014-7202 CVE-2014-7203 Package : zeromq Type : Man-in-the-middle downgrade and replay attack Remote : yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package zeromq before version 4.0.5-1 is vulnerable to man-in-the-middle downgrade and replay attacks. Resolution ========== Upgrade to 4.0.5-1. # pacman -Syu "zeromq>=4.0.5-1" The problem has been fixed upstream in version 4.0.5. Workaround ========== None. Description =========== - CVE-2014-7202 (downgrade attack) A bug in stream_engine.cpp allows man-in-the-middle attackers to conduct downgrade attacks via a crafted connection request. - CVE-2014-7203 (replay attack) libzmq did not ensure that nonces are unique, which allows man-in-the-middle attackers to conduct replay attacks via unspecified vectors. Impact ====== A remote attacker is able to perform unauthorized modifications by using a downgrade attack to target vulnerable protocol versions or by performing a replay attack of a recorded communication. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7202 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7203 https://github.com/zeromq/libzmq/issues/1190 https://github.com/zeromq/libzmq/issues/1191 https://bugs.archlinux.org/task/42381 http://seclists.org/oss-sec/2014/q3/776