0MQ version 4.3.1 stable:
* CVE-2019-6250: A vulnerability has been found that would allow attackers to
direct a peer to jump to and execute from an address indicated by the
attacker.
This issue has been present since v4.2.0. Older releases are not affected.
NOTE: The attacker needs to know in advance valid addresses in the peer's
memory to jump to, so measures like ASLR are effective mitigations.
NOTE: this attack can only take place after authentication, so peers behind
CURVE/GSSAPI are not vulnerable to unauthenticated attackers.
See https://github.com/zeromq/libzmq/issues/3351 for more details.
Thanks to Guido Vranken for uncovering the issue and providing the fix!
* Note for packagers: as pkg-config's Requires.private is now used to properly
propagate dependencies for static builds, the libzmq*-dev or zeromq-devel or
equivalent package should now depend on the libfoo-dev or foo-devel packages
of all the libraries that zmq is linked against, or pkg-config --libs libzmq
will fail due to missing dependencies on end users machines.
0MQ version 4.3.0 stable:
* The following DRAFT APIs have been marked as STABLE and will not change
anymore:
- ZMQ_MSG_T_SIZE context option (see doc/zmq_ctx_get.txt)
- ZMQ_THREAD_AFFINITY_CPU_ADD and ZMQ_THREAD_AFFINITY_CPU_REMOVE (Posix only)
context options, to add/remove CPUs to the affinity set of the I/O threads.
See doc/zmq_ctx_set.txt and doc/zmq_ctx_get.txt for details.
- ZMQ_THREAD_NAME_PREFIX (Posix only) context option, to add a specific
integer prefix to the background threads names, to easily identify them.
See doc/zmq_ctx_set.txt and doc/zmq_ctx_get.txt for details.
- ZMQ_GSSAPI_PRINCIPAL_NAMETYPE and ZMQ_GSSAPI_SERVICE_PRINCIPAL_NAMETYPE
socket options, for the corresponding GSSAPI features. Additional
definitions for principal name types:
- ZMQ_GSSAPI_NT_HOSTBASED
- ZMQ_GSSAPI_NT_USER_NAME
- ZMQ_GSSAPI_NT_KRB5_PRINCIPAL
See doc/zmq_gssapi.txt for details.
- ZMQ_BINDTODEVICE socket option (Linux only), which will bind the
socket(s) to the specified interface. Allows to use Linux VRF, see:
https://www.kernel.org/doc/Documentation/networking/vrf.txt
NOTE: requires the program to be ran as root OR with CAP_NET_RAW
- zmq_timers_* APIs. These functions can be used for cross-platforms timed
callbacks. See doc/zmq_timers.txt for details.
- The following socket monitor events:
- ZMQ_EVENT_HANDSHAKE_FAILED_NO_DETAIL: unknown errors during handshake.
- ZMQ_EVENT_HANDSHAKE_SUCCEEDED: Handshake completed with authentication.
- ZMQ_EVENT_HANDSHAKE_FAILED_PROTOCOL: Protocol errors with peers or ZAP.
- ZMQ_EVENT_HANDSHAKE_FAILED_AUTH: Failed authentication requests.
See doc/zmq_socket_monitor.txt for more details and error codes.
- zmq_stopwatch_intermediate which returns the time elapsed without stopping
the stopwatch.
- zmq_proxy_steerable command 'STATISTICS' to retrieve stats about the amount
of messages and bytes sent and received by the proxy.
See doc/zmq_proxy_steerable.txt for more information.
* The build-time configuration option to select the poller has been split, and
new API_POLLER (CMake) and --with-api-poller (autoconf) options will now
determine what system call is used to implement the zmq_poll/zmq_poller APIs.
The previous POLLER and --with-poller options now only affects the
internal I/O thread. In case API_POLLER is not specified, the behaviour keeps
backward compatibility intact and will be the same as with previous releases.
* The non-default "poll" poller for the internal I/O thread (note: NOT for the
zmq_poll/zmq_poller user APIs!) has been disabled on Windows as WSAPoll does
not report connection failures. For more information see:
- https://daniel.haxx.se/blog/2012/10/10/wsapoll-is-broken/
- https://curl.haxx.se/mail/lib-2012-10/0038.html
- https://bugs.python.org/issue16507
* New epoll implementation for Windows, using the following implementation:
https://github.com/piscisaureus/wepoll/tree/v1.5.4
To use this, select "epoll" as the poller option in the build system.
Note for distributors: the wepoll source code is embedded and distributed.
It is licensed under the BSD-2-Clause and thus it is compatible with LGPL-3.0.
Note that, if selected at build time, the license text must be distributed
with the binary in accordance to the license terms. A copy can be found at:
external/wepoll/license.txt
* The pre-made Visual Studio solutions file are deprecated, and users are
encouraged to use the CMake solution generation feature instead.
* New DRAFT (see NEWS for 4.2.0) socket options:
- ZMQ_ROUTER_NOTIFY to deliver a notification when a peer connects and/or
disconnects in the form of a routing id plus a zero-length frame.
- ZMQ_MULTICAST_LOOP to control whether the data sent should be looped back
on local listening sockets for UDP multicast sockets (ZMQ_RADIO).
See doc/zmq_setsockopt.txt and doc/zmq_getsockopt.txt for details.
* New perf tool, perf/benchmark_radix_tree, to measure the performance of the
different internal implementations of the trie algorithm used to track
subscriptions. Requires a compiler that supports C++11.
* New autoconf flag "--enable-force-CXX98-compat" which will force -std=gnu++98
and, if the compiler supports them (clang++ at the moment), it will also add
-Wc++98-compat -Wc++98-compat-pedantic so that compatibility with C++98 can
be tested.
* Many, many coding style, duplication and static analysis improvements.
* Many, many improvements to the CMake build system, especially on Windows.
* Many, many improvements to unit tests.
ce55fffaf9