Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
0MQ version 4.3.2 stable, released on 2019/07/08
================================================
* CVE-2019-13132: a remote, unauthenticated client connecting to a
libzmq application, running with a socket listening with CURVE
encryption/authentication enabled, may cause a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. Users running public servers with the above configuration
are highly encouraged to upgrade as soon as possible, as there are no
known mitigations. All versions from 4.0.0 and upwards are affected.
Thank you Fang-Pen Lin for finding the issue and reporting it!
* New DRAFT (see NEWS for 4.2.0) zmq_socket_monitor_versioned API that supports
a versioned monitoring events protocol as a parameter. Passing 1 results in
the same behaviour as zmq_socket_monitor.
Version 2 of the events protocol allows new events, new metadata, different
socket types for the monitors and more. It is described in details in
doc/zmq_socket_monitor_versioned.txt
* New DRAFT (see NEWS for 4.2.0) zmq_socket_monitor_pipes_stats that triggers
a new ZMQ_EVENT_PIPES_STATS to be delivered via zmq_socket_monitor_versioned
v2 API, which contains the current status of all the queues owned by the
monitored socket. See doc/zmq_socket_monitor_versioned.txt for details.
* New DRAFT (see NEWS for 4.2.0) zmq_poller_fd that returns the FD of a thread
safe socket. See doc/zmq_poller.txt for details.
* New DRAFT (see NEWS for 4.2.0) socket options:
- ZMQ_XPUB_MANUAL_LAST_VALUE is similar to ZMQ_XPUB_MANUAL but allows to avoid
duplicates when using last value caching.
- ZMQ_SOCKS_USERNAME and ZMQ_SOCKS_PASSWORD that implement SOCKS5 proxy
authentication.
See doc/zmq_setsockopt.txt and doc/zmq_getsockopt.txt for details.
* Implemented background thread names for Windows, when the Visual Studio
debugger is being used.
* Fixed #3358 - test_security_zap failing due to SIGBUS on SPARC64, hard-coded
IPC socket binds in tests cause race conditions
* Fixed #3361 - enabling GSSAPI support (when using autools) does not work due
to regression introduced in 4.2.3
* Fixed #3362 - remove documentation for ZMQ_THREAD_PRIORITY context option
getter, it's not implemented
* Fixed #3363 - tests fail to build due to stricter compiler printf validation
in new versions of GCC
* Fixed #3367 - try to infer cacheline size at build time, first with
getconf LEVEL1_DCACHE_LINESIZE, and then by reading
/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size
(autoconf only), and only then falling back to the previous
default of 64 bytes. Avoids false sharing on POWER and s390x.
Import ax_func_posix_memalign.m4 as a more reliable check for
posix_memalign presence on some unix platforms.
Prefer c++11 atomic primitives to compiler intrinsics, when
both are available, as the former is more reliable.
Set test_pair_ipc and test_rebind_ipc to XFAIL on GNU/Hurd due
to non-functioning getsockname on AF_UNIX.
* Fixed #3370 - Make queue length and HWM state observable
* Fixed #3373 - performance regression in zmq_poll on CentOS 6/7
* Fixed #3375 - assign names to all pthreads created by the library to ease
debugging
* Fixed #3376 - assigned random TIPC port is not returned by ZMQ_LAST_ENDPOINT
* Fixed #3385 - TCP port in ZMQ_LAST_ENDPOINT depends on global locale
* Fixed #3404 - use std::condition_variable_any when possible
* Fixed #3436 - reconnect interval exponential backoff and may lead to integer
overflows
* Fixed #3440 - improve zmq_proxy performance by batching of up to 1000
consecutive messages (if any) and add perf/proxy_thr tool
* Fixed #3451 - fix support of /dev/poll on Solaris
* Fixed #3452 - strnlen may not be available
* Fixed #1462 - test failure in test_filter_ipc due to invalid system groups
* Fixed #3269 - Boost.ASIO integration stopped working with v4.3.0
* Fixed #3479 - ZeroMQ does not build for QNX 6.6 with CMake
* Fixed #3481 - add <ios> include to fix uClibc++ compilation
* Fixed #3491 - build broken on Fedora 30
* Fixed #3494 - ZeroMQConfig.cmake fails if shared libraries are not built
* Fixed #3498 - syntax error on Windows related to socket descriptor type
* Fixed #3500 - PLAIN HELLO message incorrectly uses WELCOME literal, regression
introduced in 4.3.0
* Fixed #3517 - configure errors because of syntax errors in the use of test
shell command
* Fixed #3521 - document how to achieve high performance with the PGM transport
* Fixed #3526 - failure case behavior unclear in zmq_msg_send documentation
* Fixed #3537 - fix build on z/OS by using pthread_equal instead of comparing
variables directly
* Fixed #3546 - CMake links with librt on MinGW which is not available
* Many coding style, duplication, testing and static analysis improvements.
0MQ version 4.3.1 stable, released on 2019/01/12
================================================
* CVE-2019-6250: A vulnerability has been found that would allow attackers to
direct a peer to jump to and execute from an address indicated by the
attacker.
This issue has been present since v4.2.0. Older releases are not affected.
NOTE: The attacker needs to know in advance valid addresses in the peer's
memory to jump to, so measures like ASLR are effective mitigations.
NOTE: this attack can only take place after authentication, so peers behind
CURVE/GSSAPI are not vulnerable to unauthenticated attackers.
See https://github.com/zeromq/libzmq/issues/3351 for more details.
Thanks to Guido Vranken for uncovering the issue and providing the fix!
* Note for packagers: as pkg-config's Requires.private is now used to properly
propagate dependencies for static builds, the libzmq*-dev or zeromq-devel or
equivalent package should now depend on the libfoo-dev or foo-devel packages
of all the libraries that zmq is linked against, or pkg-config --libs libzmq
will fail due to missing dependencies on end users machines.
* Fixed #3351 - remote code execution vulnerability.
* Fixed #3343 - race condition in ZMQ_PUSH when quickly disconnecting and
reconnecting causes last part of multi-part message to get
"stuck" and resent by mistake to the new socket.
* Fixed #3336 - set Requires.private in generate pkg-config file.
* Fixed #3334 - set TCP_NODELAY after connect() on Windows for the I/O socket.
* Fixed #3326 - assert on Android when opening a socket and disabling WiFi.
* Fixed #3320 - build failure on OpenBSD with GCC.
0MQ version 4.3.0 stable, released on 2018/11/28
================================================
* The following DRAFT APIs have been marked as STABLE and will not change
anymore:
- ZMQ_MSG_T_SIZE context option (see doc/zmq_ctx_get.txt)
- ZMQ_THREAD_AFFINITY_CPU_ADD and ZMQ_THREAD_AFFINITY_CPU_REMOVE (Posix only)
context options, to add/remove CPUs to the affinity set of the I/O threads.
See doc/zmq_ctx_set.txt and doc/zmq_ctx_get.txt for details.
- ZMQ_THREAD_NAME_PREFIX (Posix only) context option, to add a specific
integer prefix to the background threads names, to easily identify them.
See doc/zmq_ctx_set.txt and doc/zmq_ctx_get.txt for details.
- ZMQ_GSSAPI_PRINCIPAL_NAMETYPE and ZMQ_GSSAPI_SERVICE_PRINCIPAL_NAMETYPE
socket options, for the corresponding GSSAPI features. Additional
definitions for principal name types:
- ZMQ_GSSAPI_NT_HOSTBASED
- ZMQ_GSSAPI_NT_USER_NAME
- ZMQ_GSSAPI_NT_KRB5_PRINCIPAL
See doc/zmq_gssapi.txt for details.
- ZMQ_BINDTODEVICE socket option (Linux only), which will bind the
socket(s) to the specified interface. Allows to use Linux VRF, see:
https://www.kernel.org/doc/Documentation/networking/vrf.txt
NOTE: requires the program to be ran as root OR with CAP_NET_RAW
- zmq_timers_* APIs. These functions can be used for cross-platforms timed
callbacks. See doc/zmq_timers.txt for details.
- The following socket monitor events:
- ZMQ_EVENT_HANDSHAKE_FAILED_NO_DETAIL: unknown errors during handshake.
- ZMQ_EVENT_HANDSHAKE_SUCCEEDED: Handshake completed with authentication.
- ZMQ_EVENT_HANDSHAKE_FAILED_PROTOCOL: Protocol errors with peers or ZAP.
- ZMQ_EVENT_HANDSHAKE_FAILED_AUTH: Failed authentication requests.
See doc/zmq_socket_monitor.txt for more details and error codes.
- zmq_stopwatch_intermediate which returns the time elapsed without stopping
the stopwatch.
- zmq_proxy_steerable command 'STATISTICS' to retrieve stats about the amount
of messages and bytes sent and received by the proxy.
See doc/zmq_proxy_steerable.txt for more information.
* The build-time configuration option to select the poller has been split, and
new API_POLLER (CMake) and --with-api-poller (autoconf) options will now
determine what system call is used to implement the zmq_poll/zmq_poller APIs.
The previous POLLER and --with-poller options now only affects the
internal I/O thread. In case API_POLLER is not specified, the behaviour keeps
backward compatibility intact and will be the same as with previous releases.
* The non-default "poll" poller for the internal I/O thread (note: NOT for the
zmq_poll/zmq_poller user APIs!) has been disabled on Windows as WSAPoll does
not report connection failures. For more information see:
- https://daniel.haxx.se/blog/2012/10/10/wsapoll-is-broken/
- https://curl.haxx.se/mail/lib-2012-10/0038.html
- https://bugs.python.org/issue16507
Loading
Loading full blame...