Bluca

**Name of the Vulnerable Software and Affected Versions** systemd versions prior to 260-rc1 systemd versions prior to 259.2 systemd versions prior to 258.5 systemd versions prior to 257.11 systemd versions 239 through 249 **Description** systemd, a system and service manager, can freeze execution or experience stack overwriting when an unprivileged Inter-Process Communication (IPC) API call is made with invalid data. Versions prior to v239 are not affected. Versions v249 and earlier are susceptible to stack overwriting, allowing an attacker to control content. From version v250 onwards, the issue triggers an assert, preventing stack overwriting. The vulnerable IPC call was introduced in version v239. **Recommendations** Update to systemd version 260-rc1 or later. Update to systemd version 259.2 or later. Update to systemd version 258.5 or later. Update to systemd version 257.11 or later.

**Name of the Vulnerable Software and Affected Versions** ZeroMQ versions prior to 4.3.3 **Description** The issue is related to an error in the resource control mechanism of ZeroMQ, a messaging system component. This allows a remote attacker to cause a denial-of-service. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any messages. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. **Recommendations** For ZeroMQ versions prior to 4.3.3, update to version 4.3.3 to resolve the issue. As a temporary workaround, consider restricting access to TCP transport public endpoints to minimize the risk of exploitation. Avoid using raw TCP sockets connected to endpoints fully configured with CURVE/ZAP until the issue is resolved.