Skip to content

libzmq 4.3.3

Compare
Choose a tag to compare
@bluca bluca released this 07 Sep 16:26
· 465 commits to master since this release
v4.3.3

0MQ version 4.3.3 stable, released on 2020/09/07

  • Security advisories:

    • CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
      unauthenticated clients.
      If a raw TCP socket is opened and connected to an endpoint that is fully
      configured with CURVE/ZAP, legitimate clients will not be able to exchange
      any message. Handshakes complete successfully, and messages are delivered to
      the library, but the server application never receives them.
      For more information see the security advisory:
      GHSA-25wp-cf8g-938m
    • Stack overflow on server running PUB/XPUB socket (CURVE disabled).
      The PUB/XPUB subscription store (mtrie) is traversed using recursive
      function calls. In the remove (unsubscription) case, the recursive calls are
      NOT tail calls, so even with optimizations the stack grows linearly with the
      length of a subscription topic. Topics are under the control of remote
      clients - they can send a subscription to arbitrary length topics. An
      attacker can thus cause a server to create an mtrie sufficiently large such
      that, when unsubscribing, traversal will cause a stack overflow.
      For more information see the security advisory:
      GHSA-qq65-x72m-9wr8
    • Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
      Messages with metadata are never processed by PUB sockets, but the metadata
      is kept referenced in the PUB object and never freed.
      For more information see the security advisory:
      GHSA-4p5v-h92w-6wxw
    • Memory leak in client induced by malicious server(s) without CURVE/ZAP.
      When a pipe processes a delimiter and is already not in active state but
      still has an unfinished message, the message is leaked.
      For more information see the security advisory:
      GHSA-wfr2-29gj-5w87
    • Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
      By crafting a packet which is not valid ZMTP v2/v3, and which has two
      messages larger than 8192 bytes, the decoder can be tricked into changing
      the recorded size of the 8192 bytes static buffer, which then gets overflown
      by the next message. The content that gets written in the overflown memory
      is entirely decided by the sender.
      For more information see the security advisory:
      GHSA-fc3w-qxf5-7hp6
  • Note for packagers: an external, self-contained sha1 library is now
    included in the source tree under external/sha1/ - it is licensed
    under BSD-3-Clause and thus it is fully compatible with libzmq's
    license.
    It is only used if WebSockets support is enabled, and if neither GnuTLS nor
    NSS are available.

  • Note for packagers: an internal reimplementation of strlcpy is now included,
    for wider platform compatibility.
    libbsd can be used and is enabled by default if available instead of the
    internal implementation, for better security maintenance in distros.

  • Note for packagers: ZeroMQConfig.cmake is now installed in the arch-dependent
    subdirectory - eg: /usr/lib/x86_64-linux-gnu/cmake/

  • New DRAFT (see NEWS for 4.2.0) socket type:

    • ZMQ_CHANNEL is a thread-safe alternative to ZMQ_PAIR.
      See doc/zmq_socket.txt for details.
  • New DRAFT (see NEWS for 4.2.0) socket option:

    • ZMQ_ONLY_FIRST_SUBSCRIBE will cause only the first part of a multipart
      message to be processed as a subscribe/unsubscribe message, and the rest
      will be forwarded as user data to the application.
    • ZMQ_RECONNECT_STOP will cause a connecting socket to stop trying to
      reconnect in specific circumstances. See the manpage for details.
    • ZMQ_HELLO_MSG to set a message that will be automatically sent to a new
      connection.
    • ZMQ_DISCONNECT_MSG to set a message that will be automatically received when
      a peer disconnects.
      See doc/zmq_setsockopt.txt and doc/zmq_getsockopt.txt for details.
  • New DRAFT (see NEWS for 4.2.0) zmq_ctx_get_ext/zmq_ctx_set_ext APIs were added
    to allow enhancing the context options with variable data inputs.
    See doc/zmq_ctx_get_ext.txt and doc/zmq_ctx_set_ext.txt for details.

  • New DRAFT (see NEWS for 4.2.0) transport options WS and WSS added for support
    of WebSockets (and secure WebSockets via TLS) via the ZWS 2.0 protocol.
    WSS requires the GnuTLS library for TLS support. ZMQ_WSS_ specific socket
    options were added to support TLS.
    WebSockets support is disabled by default if DRAFT APIs are disabled.

  • New DRAFT (see NEWS for 4.2.0) socket type, PEER, which is thread safe and a
    related zmq_connect_peer function which atomically and thread-safely connects
    and returns a routing-id.

  • New DRAFT (see NEWS for 4.2.0) zmq_msg_init_buffer API was added to allow
    the construction of a message by copying from an existing buffer.

  • New DRAFT (see NEWS for 4.2.0) zmq_poller_size API was added to allow querying
    the number of sockets/fds registered in a zmq_poller.

  • ZMTP 3.1 peers will receive subscribe/cancel on PUB/SUB via commands rather
    than using the first byte of the payload.

  • zmq_z85_decode now checks that the input string's length is at least 5 characters
    and always a multiple of 5 as per API specification.

  • Fixed #3566 - malformed CURVE message can cause memory leak

  • Fixed #3567 - missing ZeroMQ_INCLUDE_DIR in ZeroMQConfig.cmake when only
    static lib is built

  • Fixed #3576 - CURVE plaintext secrets now stored in libsodium's secure memory

  • Fixed #3588 - install debug libraries for debug msvc builds with CMake

  • Fixed #3591 - incorrect ZMQ_MAX_SOCKETS default value in doc

  • Fixed #3594 - fixed stream_engine use after free due to concurrent heartbeats

  • Fixed #3586 - error when compiling with MinGW due to usage of MS-specific
    __except keyword

  • Fixed #3603 - fixed CMake build on SL6.9

  • Fixed #3607 - added scripts to ease performance graph generation

  • Fixed #3608 - fix for IPv4 mapping not supported in DragonFlyBSD

  • Fixed #3636 - added ENABLE_PRECOMPILED CMake option to fix build with Ninja

  • Fixed #2862 - UDP engine aborts on networking-related errors from socket
    syscalls

  • Fixed #3656 - segfault on sending data from XSUB to XPUB

  • Fixed #3646 - static-only test run fails

  • Fixed #3668 - fixed CMAKE_CXX_FLAGS_* regexes on MSVC

  • Fixed #110 - do not include winsock2.h in public zmq.h header

  • Fixed #3683 - allow "configure --disable-maintainer-mode"

  • Fixed #3686 - fix documentation about sockets blocking on send operations

  • Fixed #3323 - fix behavior of ZMQ_CONFLATE on PUB sockets

  • Fixed #3698 - fix build on IBM i/PASE/os400

  • Fixed #3705 - zero-sized messages cause assertion when glibc assertion are on

  • Fixed #3713 - remove dependency on math library by avoiding std::ceil

  • Fixed #3694 - build targeting Windows XP is broken

  • Fixed #3691 - added support for IPC on Windows 10 via AF_UNIX

  • Fixed #3725 - disable by default test that requires sudo on CMake

  • Fixed #3727 - fix zmq_poller documentation example

  • Fixed #3729 - do not check for FD_OOB when using WSAEventSelect on Windows

  • Fixed #3738 - allow renaming the library in CMake

  • Fixed #1808 - use AF_UNIX instead of TCP for the internal socket on Windows 10

  • Fixed #3758 - fix pthread_set_affinity detection in CMake

  • Fixed #3769 - fix undefined behaviour in array.hpp

  • Fixed #3772 - fix compiling under msys2-mingw

  • Fixed #3775 - add -latomic to the private libs flag in pkg-config if needed

  • Fixed #3778 - fix documentation of zmq_poller's thread safety

  • Fixed #3792 - do not allow creation of new sockets after zmq_ctx_shutdown

  • Fixed #3805 - improve performance of CURVE by reducing copies

  • Fixed #3814 - send subscribe/cancel as commands to ZMTP 3.1 peers

  • Fixed #3847 - fix building without PGM and NORM

  • Fixed #3849 - install .cmake file in arch-dependent subdirectory

  • Fixed #4005 - allow building on Windows ARM/ARM64