ZeroMQ v4.3.2 Release Notes

Release Date: 2019-07-08 // over 2 years ago
  • ๐Ÿš€ 0MQ version 4.3.2 stable, released on 2019/07/08

    CVE-2019-13132: a remote, unauthenticated client connecting to a
    libzmq application, running with a socket listening with CURVE
    encryption/authentication enabled, may cause a stack overflow and
    overwrite the stack with arbitrary data, due to a buffer overflow in
    ๐Ÿ”ง the library. Users running public servers with the above configuration
    โฌ†๏ธ are highly encouraged to upgrade as soon as possible, as there are no
    known mitigations. All versions from 4.0.0 and upwards are affected.
    Thank you Fang-Pen Lin for finding the issue and reporting it!

    New DRAFT (see NEWS for 4.2.0) zmq_socket_monitor_versioned API that supports
    a versioned monitoring events protocol as a parameter. Passing 1 results in
    the same behaviour as zmq_socket_monitor.
    ๐Ÿ”– Version 2 of the events protocol allows new events, new metadata, different
    socket types for the monitors and more. It is described in details in
    doc/zmq_socket_monitor_versioned.txt

    New DRAFT (see NEWS for 4.2.0) zmq_socket_monitor_pipes_stats that triggers
    a new ZMQ_EVENT_PIPES_STATS to be delivered via zmq_socket_monitor_versioned
    v2 API, which contains the current status of all the queues owned by the
    monitored socket. See doc/zmq_socket_monitor_versioned.txt for details.

    New DRAFT (see NEWS for 4.2.0) zmq_poller_fd that returns the FD of a thread
    ๐Ÿ‘€ safe socket. See doc/zmq_poller.txt for details.

    ๐Ÿ†• New DRAFT (see NEWS for 4.2.0) socket options:

    • ZMQ_XPUB_MANUAL_LAST_VALUE is similar to ZMQ_XPUB_MANUAL but allows to avoid
      duplicates when using last value caching.
    • ZMQ_SOCKS_USERNAME and ZMQ_SOCKS_PASSWORD that implement SOCKS5 proxy
      authentication.
      See doc/zmq_setsockopt.txt and doc/zmq_getsockopt.txt for details.

    ๐Ÿ Implemented background thread names for Windows, when the Visual Studio
    debugger is being used.

    ๐Ÿ”’ Fixed #3358 - test_security_zap failing due to SIGBUS on SPARC64, hard-coded
    โœ… IPC socket binds in tests cause race conditions

    ๐Ÿ›  Fixed #3361 - enabling GSSAPI support (when using autools) does not work due
    to regression introduced in 4.2.3

    Fixed #3362 - remove documentation for ZMQ_THREAD_PRIORITY context option
    getter, it's not implemented

    ๐Ÿ›  Fixed #3363 - tests fail to build due to stricter compiler printf validation
    in new versions of GCC

    ๐Ÿ›  Fixed #3367 - try to infer cacheline size at build time, first with
    getconf LEVEL1_DCACHE_LINESIZE, and then by reading
    /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size
    (autoconf only), and only then falling back to the previous
    0๏ธโƒฃ default of 64 bytes. Avoids false sharing on POWER and s390x.
    Import ax_func_posix_memalign.m4 as a more reliable check for
    posix_memalign presence on some unix platforms.
    Prefer c++11 atomic primitives to compiler intrinsics, when
    both are available, as the former is more reliable.
    Set test_pair_ipc and test_rebind_ipc to XFAIL on GNU/Hurd due
    to non-functioning getsockname on AF_UNIX.

    ๐Ÿ›  Fixed #3370 - Make queue length and HWM state observable

    ๐Ÿ›  Fixed #3373 - performance regression in zmq_poll on CentOS 6/7

    ๐Ÿ›  Fixed #3375 - assign names to all pthreads created by the library to ease
    debugging

    Fixed #3376 - assigned random TIPC port is not returned by ZMQ_LAST_ENDPOINT

    Fixed #3385 - TCP port in ZMQ_LAST_ENDPOINT depends on global locale

    Fixed #3404 - use std::condition_variable_any when possible

    ๐Ÿ›  Fixed #3436 - reconnect interval exponential backoff and may lead to integer
    overflows

    ๐Ÿ›  Fixed #3440 - improve zmq_proxy performance by batching of up to 1000
    consecutive messages (if any) and add perf/proxy_thr tool

    ๐Ÿ›  Fixed #3451 - fix support of /dev/poll on Solaris

    ๐Ÿ›  Fixed #3452 - strnlen may not be available

    Fixed #1462 - test failure in test_filter_ipc due to invalid system groups

    ๐Ÿ›  Fixed #3269 - Boost.ASIO integration stopped working with v4.3.0

    ๐Ÿ›  Fixed #3479 - ZeroMQ does not build for QNX 6.6 with CMake

    ๐Ÿ›  Fixed #3481 - add include to fix uClibc++ compilation

    ๐Ÿ›  Fixed #3491 - build broken on Fedora 30

    ๐Ÿ›  Fixed #3494 - ZeroMQConfig.cmake fails if shared libraries are not built

    ๐Ÿ›  Fixed #3498 - syntax error on Windows related to socket descriptor type

    ๐Ÿ›  Fixed #3500 - PLAIN HELLO message incorrectly uses WELCOME literal, regression
    introduced in 4.3.0

    ๐Ÿ›  Fixed #3517 - configure errors because of syntax errors in the use of test
    shell command

    ๐Ÿ›  Fixed #3521 - document how to achieve high performance with the PGM transport

    Fixed #3526 - failure case behavior unclear in zmq_msg_send documentation

    ๐Ÿ›  Fixed #3537 - fix build on z/OS by using pthread_equal instead of comparing
    variables directly

    ๐Ÿ›  Fixed #3546 - CMake links with librt on MinGW which is not available

    ๐Ÿ’… Many coding style, duplication, testing and static analysis improvements.


Previous changes from v4.3.1

  • ๐Ÿš€ 0MQ version 4.3.1 stable, released on 2019/01/12

    CVE-2019-6250: A vulnerability has been found that would allow attackers to direct a peer to
    jump to and execute from an address indicated by the attacker.
    ๐Ÿš€ This issue has been present since v4.2.0. Older releases are not affected.
    NOTE: The attacker needs to know in advance valid addresses in the peer's
    memory to jump to, so measures like ASLR are effective mitigations.
    NOTE: this attack can only take place after authentication, so peers behind
    CURVE/GSSAPI are not vulnerable to unauthenticated attackers.
    ๐Ÿ‘€ See #3351 for more details.
    Thanks to Guido Vranken for uncovering the issue and providing the fix!

    ๐Ÿ“ฆ Note for packagers: as pkg-config's Requires.private is now used to properly
    ๐Ÿ— propagate dependencies for static builds, the libzmq*-dev or zeromq-devel or
    ๐Ÿ“ฆ equivalent package should now depend on the libfoo-dev or foo-devel packages
    of all the libraries that zmq is linked against, or pkg-config --libs libzmq
    will fail due to missing dependencies on end users machines.

    ๐Ÿ›  Fixed #3351 - remote code execution vulnerability.

    ๐Ÿ›  Fixed #3343 - race condition in ZMQ_PUSH when quickly disconnecting and
    reconnecting causes last part of multi-part message to get
    "stuck" and resent by mistake to the new socket.

    ๐Ÿ›  Fixed #3336 - set Requires.private in generate pkg-config file.

    ๐Ÿ›  Fixed #3334 - set TCP_NODELAY after connect() on Windows for the I/O socket.

    ๐Ÿ›  Fixed #3326 - assert on Android when opening a socket and disabling WiFi.

    ๐Ÿ›  Fixed #3320 - build failure on OpenBSD with GCC.