Bug 1147311 (CVE-2014-7202)

Summary: CVE-2014-7202 zeromq: stream engine security can be downgraded by client.
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrewniemants, djorm, jose.p.oliveira.oss, mrunge, tomspur, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-09 04:45:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1147291    

Description Wade Mealing 2014-09-29 01:38:07 UTC 
When accepting a connection as client or server, the engine takes the mechanism from the peer and implements the peers
mechanism without ensuring hat it matches the mechanism set on the socket.  This may allow an attacker to create a situation
in which they can create a man-in-the-middle downgrade attack.
Comment 1 Murray McAllister 2014-09-29 02:39:29 UTC 
Upstream commit:

https://github.com/hintjens/libzmq/commit/77f14aad95cdf0d2a244ae9b4a025e5ba0adf01a

From a brief inspection, it appears as though zeromq and zeromq 3 in Fedora may not be affected.
Comment 3 Wade Mealing 2014-10-08 00:27:19 UTC 
Statement:

This issue did not affect the versions of zeromq as shipped with Inktank Ceph Enterprise 1.2 and 1.3.
Comment 4 Wade Mealing 2014-10-09 04:41:07 UTC 
The fedora 20 release zeromq3-3.2.4-1.fc20.src.rpm ,is the same release that was audited by the inktank developers found to be not affected by this issue.