Has vulnerability "CVE-2020-36400" been fixed?

Question

Has vulnerability "CVE-2020-36400" been fixed?

kongshuiJ opened this issue 5 months ago · comments

kongshui commented 5 months ago

Has vulnerability "CVE-2020-36400" been fixed?
I couldn't find a report on fixing it.

CVE-2020-36400:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36400

Luca Boccassi · Answer 1 · Thu Feb 01 2024 20:16:11 GMT+0800 (China Standard Time)

The commit that fixed it is literally linked in the mitre.org report you linked

Bill Torpey · Answer 2 · Fri Feb 02 2024 05:27:21 GMT+0800 (China Standard Time)

@bluca

Well, this is timely. I've just been asked to identify any known security vulnerabilities against libzmq for my day job. That led me here, and the mitre link is certainly helpful.

However, kong(?) has a point -- searching the repo for "CVE" (https://github.com/search?q=repo%3Azeromq%2Flibzmq+CVE&type=code) doesn't return much, and most of that is rather old.

So, a couple of questions if you would:

Is the mitre list (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libzmq) complete? If not, is there a better source?
Is it reasonable to assume that if a CVE in the list does not have a commit listed against it, that it is not fixed?

Thanks for any addl. information you can provide.

kongshui · Answer 3 · Fri Feb 02 2024 10:27:27 GMT+0800 (China Standard Time)

Hi @bluca

Thank you very much for your reply.

My main purpose is to fully confirm that the vulnerability has been resolved, as vulnerabilities like "CVE-2020-15166" can be searched for keywords in the repository, but I did not find any useful information for "CVE-2020-36400".