0MQ version 4.0.10 stable, released on 2020/09/07 ================================================= * Security advisories: * CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by unauthenticated clients. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. For more information see the security advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m * Stack overflow on server running PUB/XPUB socket (CURVE disabled). The PUB/XPUB subscription store (mtrie) is traversed using recursive function calls. In the remove (unsubscription) case, the recursive calls are NOT tail calls, so even with optimizations the stack grows linearly with the length of a subscription topic. Topics are under the control of remote clients - they can send a subscription to arbitrary length topics. An attacker can thus cause a server to create an mtrie sufficiently large such that, when unsubscribing, traversal will cause a stack overflow. For more information see the security advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8 * Memory leak in client induced by malicious server(s) without CURVE/ZAP. When a pipe processes a delimiter and is already not in active state but still has an unfinished message, the message is leaked. For more information see the security advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87 0MQ version 4.0.9 stable, released on 2019/07/08 ================================================ * CVE-2019-13132: a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations. All versions from 4.0.0 and upwards are affected. * Fix documentation to remove mention of features that are not available in 4.0.x. * Fix parsing application metadata when using CURVE. 0MQ version 4.0.8 stable, released on 2016/06/17 ================================================ * Fixed LIBZMQ-949 - zmq_unbind fails for inproc and wildcard endpoints * Fixed #1806 - uninitialised read in curve getsockopt. * Fixed #1807 - build broken with GCC 6. * Fixed #1877 - Avoid terminating connections prematurely * Fixed #1887 - zmq_bind IPv4 fallback still tries IPv6 * Fixed #98 - don't require libssp without libsodium on Solaris * Fixed #919 - ZMQ_LINGER (related to #1877) * Fixed #139 - "tempnam" is deprecated. 0MQ version 4.0.7 stable, released on 2015/06/15 ================================================ * Fixed #1428 - regression on single-socket proxies. 0MQ version 4.0.6 stable, released on 2015/06/02 ================================================ * Fixed #1273 - V3 protocol handler vulnerable to downgrade attacks. * Fixed #1362 - SUB socket sometimes fails to resubscribe properly. * Fixed #1377, #1144 - failed with WSANOTINITIALISED in some cases. * Fixed #1389 - PUB, PUSH sockets had slow memory leak. * Fixed #1382 - zmq_proxy did not terminate if there were no readers. 0MQ version 4.0.5 stable, released on 2014/10/14 ================================================ * Fixed #1191; CURVE mechanism does not verify short term nonces. * Fixed #1190; stream_engine is vulnerable to downgrade attacks. * Fixed #1088; assertion failure for WSAENOTSOCK on Windows. * Fixed #1015; race condition while connecting inproc sockets. * Fixed #994; bump so library number to 4.0.0 * Fixed #939, assertion failed: !more (fq.cpp:99) after many ZAP requests. * Fixed #872; lost first part of message over inproc://. * Fixed #797, keep-alive on Windows. 0MQ version 4.0.4 stable, released on 2014/03/10 ================================================ Bug Fixes --------- * Fixed #909; out of tree build issue on Linux. * Fixed #888; hangs on terminate when inproc connected but never bound. * Fixed #868; assertion failure at ip.cpp:137 when using port scanner. * Fixed #818; fix timestamp counter on s390/s390x. * Fixed #817; only export zmq_* symbols. * Fixed #797; fixed setting TCP keepalive on Windows. * Fixed #775; compile error on Windows. * Fixed #763; when talking to a ZMTP v1 peer (libzmq 2.2), a socket would send an extra identity frame at the start of the connection. * Fixed LIBZMQ-576 - Crash closing a socket after zmq_msg_send returns EAGAIN (reverts LIBZMQ-497) * Fixed LIBZMQ-584; subscription filters getting lost on reconnection. 0MQ version 4.0.3 stable, released on 2013/11/24 ================================================ Bug Fixes --------- * Fixed test_many_sockets case, which failed when process socket limit was 1024. 0MQ version 4.0.2 stable, released on 2013/11/24 ================================================ Bug Fixes --------- * Fixed LIBZMQ-583 - improved low-res timer for Windows * Fixed LIBZMQ-578 - z85_decode was extremely slow * Fixed LIBZMQ-577 - fault in man pages. * Fixed LIBZMQ-574 - assertion failure when ran out of system file handles * Fixed LIBZMQ-571 - test_stream failing in some cases * Fixed LIBZMQ-569 - Socket server crashes with random client data and when talking to 2.2 versions * Fixed LIBZMQ-39 - Bad file descriptor during shutdown * Pulled expected failing test_linger.cpp from release * Reduced pause time in tests to allow "make check" to run faster 0MQ version 4.0.1 stable, released on 2013/10/08 ================================================ Changes ------- * Updated CURVE mechanism to track revised RFC 27 (INITIATE vouch). The INITIATE command vouch box is Box[C',S](C->S') instead of Box[C'](C->S), to reduce the risk of client impersonation, as per https://codesinchaos.wordpress.com/2012/09/09/curvecp-1/. * Fixed LIBZMQ-567, adding abstract namespaces for IPC sockets on Linux. Converts an initial strudel or "at sign" (@) in the Unix socket path to a NULL character ('\0') indicating that the socket uses the abstract namespace instead of the filesystem namespace. For instance, binding a socket to 'ipc://@/tmp/tester' will not create a file associated with the socket whereas binding to 'ipc:///tmp/tester' will create the file /tmp/tester. See issue 567 for more information. * Added zmq_z85_encode and zmq_z85_decode to core libzmq API. * Added zmq_curve_keypair to core libzmq API. * Bumped library ABI version to 4:0:1. Bug fixes --------- * Fixed some build/test errors on OS/X + Clang++. * Fixed LIBZMQ-565, typo in code. * Fixed LIBZMQ-566, dealer-to-router connections sometimes failing. * Fixed builds for AIX, MSVC 2008, OS/X with clang++, Solaris. * Improved CURVE handshake error handling. 0MQ version 4.0.0 (RC1), released on 2013/09/20 =============================================== Major changes ------------- * New wire level protocol, ZMTP/3.0, see http://rfc.zeromq.org/spec:23. Does not yet implement the SUBSCRIBE, CANCEL, PING, and PONG commands. * New security framework, from plain user+password to strong encryption, see section below. See http://hintjens.com/blog:49 for a tutorial. * New ZMQ_STREAM socket type for working as a TCP client or server. See: tests/test_stream.cpp. Improvements ------------ * You can now connect to an inproc:// endpoint that does not already exist. This means inproc:// no longer needs careful set-up, but it may break code that relied on the old behaviour. See: tests/test_inproc_connect.cpp. * Libzmq now checks socket types at connection time, so that trying to connect a 'wrong' socket type will fail. * New zmq_ctx_shutdown API method will shutdown a context and send ETERM to blocking calls, without blocking. Use zmq_ctx_term to finalise the process. * The regression test suite has been significantly extended and improved. * Contexts can now be terminated in forked child processes. See: tests/test_fork.cpp. * zmq_disconnect now respects the linger setting on sockets. * New zmq_send_const API method to send constant data (without copying). See: tests/test_inproc_connect.cpp. * Added CMake support for static libraries. * Added test cases for socket semantics as defined in RFCs 28, 29, 30, 31. See: tests/test_spec_*.cpp. * New socket option, ZMQ_PROBE_ROUTER triggers an empty message on connect. See: tests/test_probe_router.cpp. * New socket option, ZMQ_REQ_CORRELATE allows for correlation of replies from a REP socket. See: tests/test_req_correlate.cpp. * New socket option, ZMQ_REQ_RELAXED, lets you disable the state machine on a REQ socket, so you can send multiple requests without waiting for replies, and without getting an EFSM error. See: tests/test_req_relaxed.cpp. * New socket option, ZMQ_CONFLATE restricts the outgoing and incoming socket buffers to a single message. See: tests/test_conflate.cpp. Deprecated Options ------------------ * ZMQ_IPV4ONLY deprecated and renamed to ZMQ_IPV6 so that options are consistently "off" by default. * ZMQ_DELAY_ATTACH_ON_CONNECT deprecated, and renamed to ZMQ_IMMEDIATE. See: tests/test_immediate.cpp. Security Framework ------------------ Based on new ZMTP wire level protocol that negotiates a security "mechanism" between client and server before exchanging any other data. Security mechanisms are extensible. ZMTP defines three by default: * NULL - classic ZeroMQ, with no authentication. See http://rfc.zeromq.org/spec:23. * PLAIN - plain-text username + password authentication. See http://rfc.zeromq.org/spec:24. * CURVE - secure authentication and encryption based on elliptic curve cryptography, using the Curve25519 algorithm from Daniel Bernstein and based on CurveCP's security handshake. See http://rfc.zeromq.org/spec:25, http://rfc.zeromq.org/spec:26, and http://curvecp.org. Authentication is done by pluggable "authenticators" that connect to libzmq over an inproc endpoint, see http://rfc.zeromq.org/spec:27. Socket options to configure PLAIN security on client or server: * ZMQ_PLAIN_SERVER, ZMQ_PLAIN_USERNAME, ZMQ_PLAIN_PASSWORD. See tests/test_security_plain. Socket options to configure CURVE security on client or server: * ZMQ_CURVE_SERVER, ZMQ_CURVE_PUBLICKEY, ZMQ_CURVE_SECRETKEY, ZMQ_CURVE_SERVERKEY. See tests/test_security_curve.cpp. Socket options to configure "domain" for ZAP handler: * ZMQ_ZAP_DOMAIN, see tests/test_security_null.cpp. Support for encoding/decoding CURVE binary keys to ASCII: * zmq_z85_encode, zmq_z85_decode. Other issues addressed in this release -------------------------------------- * LIBZMQ-525 Multipart upstreaming from XSUB to XPUB 0MQ version 3.2.4 stable, released on 2013/09/20 ================================================ * LIBZMQ-84 (Windows) Assertion failed: Address already in use at signaler.cpp:80 * LIBZMQ-456 ZMQ_XPUB_VERBOSE does not propagate in a tree of XPUB/XSUB devices * LIBZMQ-532 (Windows) critical section not released on error * LIBZMQ-569 Detect OpenPGM 5.2 system library * LIBZMQ-563 Subscribers sometimes stopped receiving messages (aka LIBZMQ-541) * LIBZMQ-XXX Added support for Travis Continuous Integration * LIBZMQ-XXX Several improvements to MSVC support 0MQ version 3.2.3 stable, released on 2013/05/02 ================================================ Issues addressed in this release -------------------------------- * LIBZMQ-526 Assertion failure "Invalid argument (tcp_connecter.cpp:285)" * LIBZMQ-446 Setting the DSCP bits by default causes CAP_NET_ADMIN error * LIBZMQ-496 Crash on heavy socket opening/closing: Device or resource busy (mutex.hpp:90) * LIBZMQ-462 test_connect_delay fails at test_connect_delay.cpp:80 * LIBZMQ-497 Messages getting dropped * LIBZMQ-488 signaler.cpp leaks the win32 Event Handle * LIBZMQ-476 zmq_disconnect has no effect for inproc sockets * LIBZMQ-475 zmq_disconnect does not sent unsubscribe messages 0MQ version 3.2.2 stable, released on 2012/11/23 ================================================ Issues addressed in this release -------------------------------- * LIBZMQ-384 No meta data for ZMQ_EVENT_DISCONNECTED monitor event * LIBZMQ-414 Error in ARM/Thumb2 assembly (atomic_ptr.hpp) * LIBZMQ-417 zmq_assert (!incomplete_in) in session_base.cpp 228 * LIBZMQ-447 socket_base_t::recv() packet loss and memory leak at high receiving rate * LIBZMQ-448 Builds fail on older versions of GCC * LIBZMQ-449 Builds fail on AIX * LIBZMQ-450 lt-test_monitor: fails with assertion at test_monitor.cpp:81 * LIBZMQ-451 ZMQ_ROUTER_MANDATORY blocks forever * LIBZMQ-452 test_connect_delay.cpp:175:12: error: 'sleep' was not declared in this scope * LIBZMQ-458 lt-test_router_mandatory fails with assertion at test_router_mandatory.cpp:53 * LIBZMQ-459 Assertion failed: encoder (stream_engine.cpp:266 * LIBZMQ-464 PUB socket with HWM set leaks memory * LIBZMQ-465 PUB/SUB results in 80-90% of CPU load * LIBZMQ-468 ZMQ_XPUB_VERBOSE & unsubscribe * LIBZMQ-472 Segfault in zmq_poll in REQ to ROUTER dialog 0MQ version 3.2.1 (RC2), released on 2012/10/15 =============================================== Issues addressed in this release -------------------------------- * Fixed issue xxx - handle insufficient resources on accept() properly. * Fixed issue 443 - added ZMQ_XPUB_VERBOSE setsocket option. * Fixed issue 433 - ZeroMQ died on receiving EPIPE * Fixed issue 423 - test_pair_tcp hangs * Fixed issue 416 - socket_base: fix 'va_list' has not been declared error * Fixed issue 409 - Pub-sub interoperability between 2.x and 3.x. * Fixed issue 404 - zmq_term can not safely be re-entered with pgm transport * Fixed issue 399 - zmq_ctx_set_monitor callback is not works properly * Fixed issue 393 - libzmq does not build on Android (socklen_t signed comparison) * Fixed issue 392 - Interaction with pyzmq on Android * Fixed issue 389 - Assertion failure in mtrie.cpp:317 * Fixed issue 388 - tests/test_monitor.cpp has no newline at EOF (causes compile error) * Fixed issue 387 - "sa_family_t sa_family;" in pgm_socket.cpp is unused variable * Fixed issue 385 - Rework ZMQ_FAIL_UNROUTABLE socket option to actually work * Fixed issue 382 - Current libzmq doesn't compile on Android NDK * Fixed issue 377 - ZeroMQ will not build on Windows with OpenPGM * Fixed issue 375 - error: unused variable 'sa_family' * Fixed issue 373 - Unable to build libzmq/zeromq3.x on AIX7 * Fixed issue 372 - Unable to build libzmq/zeromq3.x on HPUX 11iv3 * Fixed issue 371 - Unable to build libzmq/zeromq3.x on RHEL5/SLES10 * Fixed issue 329 - wsa_error_to_errno() calls abort() on WSAEACCES * Fixed issue 309 - Assertion failed: options.recv_identity (socket_base.cpp:864) * Fixed issue 211 - Assertion failed: msg_->flags & ZMQ_MSG_MORE (rep.cpp:81) API changes ----------- * zmq_device () deprecated and replaced by zmq_proxy (). * zmq_ctx_set_monitor () replaced by zmq_socket_monitor (). * ZMQ_ROUTER_BEHAVIOR/ZMQ_FAIL_UNROUTABLE renamed experimentally to ZMQ_ROUTER_MANDATORY. 0MQ version 3.2.0 (RC1), released on 2012/06/05 =============================================== Bug fixes --------- * Fixed issue 264 - Potential bug with linger, messages dropped during socket close. * Fixed issue 293 - libzmq doesn't follow the ZMTP/1.0 spec (did not set reserved bits to 0). * Fixed issue 303 - Assertion failure in pgm_sender.cpp:102. * Fixed issue 320 - Assertion failure in connect_session.cpp:96 when connecting epgm to an invalid endpoint. * Fixed issue 325 - Assertion failure in xrep.cpp:93, when two sockets connect using the same identity. * Fixed issue 327 - Assertion failure in mtrie.cpp:246, when unsubscribing from channel. * Fixed issue 346 - Assertion failure in signaler.cpp:155, when using a closed socket. * Fixed issue 328 - unsubscribe wrongly clears multiple subscriptions. * Fixed issue 330 - IPC listener does not remove unix domain stream file when terminated. * Fixed issue 334 - Memory leak in session_base.cpp:59. * Fixed issue 369 - ROUTER cannot close/reopen while DEALER connected. Operating systems ----------------- * Fixed issue 301 - HPUX 11iv2 - build fails, CLOCK_MONOTONIC undefined. * Fixed issue 324 - OS/X - build fails, ECANTROUTE undefined. * Fixed issue 368 - Solaris / Sun C++ - build fails, no insert method in multimap classes. * Fixed issue 366 - Windows - ports not freed after crash. * Fixed issue 355 - Windows - build fails, MSVC solution file is out of date. * Fixed issue 331 - FreeBSD 8 and 9 - getaddrinfo fails with EAI_BADFLAGS on AI_V4MAPPED flag. * Fixed issue xxx - Added support for WinCE. Performance ----------- * Fixed issue xxx - Implemented atomic operations for ARMv7a (runs 15-20% faster). API changes ----------- * Fixed issue 337 - Cleaned-up context API: zmq_ctx_new() - create new context (will deprecate zmq_init) zmq_ctx_destroy() - destroy context (will deprecate zmq_term) zmq_ctx_set() - set context property zmq_ctx_get() - get context property * Fixed issue xxx - Cleaned-up message API: zmq_msg_send() - send a message (will deprecate zmq_sendmsg) zmq_msg_recv() - receive a message (will deprecate zmq_recvmsg) zmq_msg_more() - indicate whether this is final part of message zmq_msg_get() - get message property zmq_msg_set() - set message property * Fixed issue xxx - Added context monitoring API: zmq_ctx_set_monitor() - configure monitor callback. * Fixed issue xxx - Added unbind/disconnect API: zmq_unbind() - unbind socket. zmq_disconnect() - disconnect socket. * Fixed issue xxx - Added ZMQ_TCP_ACCEPT_FILTER setsockopt() for listening TCP sockets. * Fixed issue 336 - Removed sys: transport. * Fixed issue 333 - Added zmq_device function back to API (was removed in 3.0). * Fixed issue 340 - Add support for MAX_SOCKETS to new context API. OMQ version 3.1.0 (beta), released on 2011/12/18 ================================================ General information ------------------- Based on community consensus, the 0MQ 3.1.x release reverts a number of features introduced in version 3.0. The major reason for these changes is improving backward compatibility with 0MQ 2.1.x. Development of the 0MQ 3.0.x series will be discontinued, and users are encouraged to upgrade to 3.1. The 0MQ 3.1.x releases use ABI version 3. Reverted functionality ---------------------- The following functionality present in 0MQ 3.0 has been reverted: * Wire format changes. The 0MQ 3.1 wire format is identical to that of 0MQ 2.1. * LABELs and COMMANDs have been removed. * Explicit identies are re-introduced, however they can be used only for explicit routing, not for durable sockets. * The ZMQ_ROUTER and ZMQ_DEALER socket types are once again aliases for ZMQ_XREQ and ZMQ_XREP. New functionality ----------------- * The zmq_getmsgopt() function has been introduced. * Experimental IPv6 support has been introduced. This is disabled by default, see the zmq_setsockopt() documentation for enabling it. Other changes ------------- * The default HWM for all socket types has been set to 1000. * Many bug fixes. Building -------- * The dependency on libuuid has been removed. * Support for building on Android, and with MSVC 10 has been added. 0MQ version 3.0.0 (alpha), released on 2011/07/12 ================================================= New functionality ----------------- * A zmq_ctx_set_monitor() API to register a callback / event sink for changes in socket state. * POSIX-compliant zmq_send and zmq_recv introduced (uses raw buffer instead of message object). * ZMQ_MULTICAST_HOPS socket option added. Sets the appropriate field in IP headers of PGM packets. * Subscription forwarding. Instead of filtering on consumer, the subscription is moved as far as possible towards the publisher and filtering is done there. * ZMQ_XPUB, ZMQ_XSUB introduced. Allow to create subscription- forwarding-friendly intermediate devices. * Add sockopt ZMQ_RCVTIMEO/ZMQ_SNDTIMEO. Allow to set timeout for blocking send/recv calls. * A new LABEL flag was added to the wire format. The flag distinguishes message parts used by 0MQ (labels) from user payload message parts. * There is a new wire format for the REQ/REP pattern. First, the empty bottom-of-the-stack message part is not needed any more, the LABEL flag is used instead. Secondly, peer IDs are 32-bit integers rather than 17-byte UUIDs. * The REQ socket now drops duplicate replies. * Outstanding requests & replies associated with a client are dropped when the clients dies. This is a performance optimisation. * Introduced ZMQ_ROUTER and ZMQ_DEALER sockets. These mimic the functionality of ZMQ_ROUTER and ZMQ_DEALER in 0MQ/2.1.x. Guarantees backward compatibility for exsiting code. * Removed dependency on OS socketpair buffer size. No more asserts in mailbox.cpp because of low system limit of sockepair buffer size. API improvements ---------------- * Obsolete constants ZMQ_UPSTREAM and ZMQ_DOWNSTREAM removed. Use ZMQ_PUSH and ZMQ_PULL instead. * Timeout in zmq_poll is in milliseconds instead of microseconds. This makes zmq_poll() compliant with POSIX poll() * ZMQ_MCAST_LOOP removed. There's no support for multicast over loopback any more. Use IPC or TCP isntead. * zmq_send/zmq_recv was renamed zmq_sendmsg/zmq_recvmsg. * ZMQ_RECOVERY_IVL and ZMQ_RECOVERY_IVL_MSEC reconciled. The new option is named ZMQ_RECOVERY_IVL and the unit is milliseconds. * Option types changed. Most of the numeric types are now represented as 'int'. * ZMQ_HWM split into ZMQ_SNDHWM and ZMQ_RCVHWM. This makes it possible to control message flow separately for each direction. * ZMQ_NOBLOCK renamed ZMQ_DONTWAIT. That makes it POSIX-compliant. Less is More ------------ * Pre-built devices and zmq_device() removed. Should be made available as a separate project(s). * ZMQ_SWAP removed. Writing data to disk should be done on top of 0MQ, on inside it. * C++ binding removed from the core. Now it's a separate project, same as any other binding. Bug fixes --------- * Many. Building -------- * Make pkg-config dependency conditional. Distribution ------------ * Removed Debian packaging, which is now available at packages.debian.org or via apt-get. Older versions ============== * See NEWS in ZeroMQ 2.1.x repository at http://github.com/zeromq/zeromq2-1.