Has vulnerability "CVE-2020-36400" been fixed?

[kongshuiJ]

Has vulnerability "CVE-2020-36400" been fixed? I couldn't find a report on fixing it.

CVE-2020-36400: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36400

[bluca]

The commit that fixed it is literally linked in the mitre.org report you linked

[bill-torpey]

@bluca

Well, this is timely. I've just been asked to identify any known security vulnerabilities against libzmq for my day job. That led me here, and the mitre link is certainly helpful.

However, kong(?) has a point -- searching the repo for "CVE" (https://github.com/search?q=repo%3Azeromq%2Flibzmq+CVE&type=code) doesn't return much, and most of that is rather old.

So, a couple of questions if you would:

• Is the mitre list (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libzmq) complete? If not, is there a better source?
• Is it reasonable to assume that if a CVE in the list does not have a commit listed against it, that it is not fixed?

Thanks for any addl. information you can provide.

[kongshuiJ]

Hi @bluca

Thank you very much for your reply.

My main purpose is to fully confirm that the vulnerability has been resolved, as vulnerabilities like "CVE-2020-15166" can be searched for keywords in the repository, but I did not find any useful information for "CVE-2020-36400".