libzmq4 -- V3 protocol handler vulnerable to downgrade attacks

2014-12-04T00:00:00
ID 10A6D0AA-0B1C-11E5-BB90-002590263BF5
Type freebsd
Reporter FreeBSD
Modified 2015-09-28T00:00:00

Description

Pieter Hintjens reports:

It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a ZMTP v2 or earlier header. The library accepts such connections without applying its security mechanism.