zeromq was updated to version 4.0.5 to fix two security issues and various other bugs.
These security issues were fixed:
- Did not validate the other party's security handshake properly, allowing a
man-in-the-middle downgrade attack (CVE-2014-7202).
- Did not implement a uniqueness check on connection nonces, and the CurveZMQ
RFC was ambiguous about nonce validation. This allowed replay attacks
(CVE-2014-7203).
Other issues fixed in this update:
- CURVE mechanism does not verify short term nonces.
- stream_engine is vulnerable to downgrade attacks.
- assertion failure for WSAENOTSOCK on Windows.
- race condition while connecting inproc sockets.
- bump so library number to 4.0.0
- assertion failed: !more (fq.cpp:99) after many ZAP requests.
- lost first part of message over inproc://.
- Submitted by Tomáš Chvátal (scarabeus_iv)