Summary: | <net-irc/unrealircd-{3.2.10.7,4.0.6}: certificate spoofing through crafted SASL message | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | binki |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/09/05/8 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
unrealircd-3.2.10.7 needs to be stabilized and unrealircd-3.2.10.4 dropped. Please go ahead. 4.x has never been stable yet so I bumped it without keeping the old version. @ Arches, please test and mark stable: =net-irc/unrealircd-3.2.10.7 Targeted stable KEYWORDS: amd64 x86 ppc amd64 stable x86 stable ppc stable. Maintainer(s), please cleanup. Security, please vote. @maintainer(s), please drop 3.2.10.4 so we can close. GLSA Vote: No Maintainer currently without commit access. Tree is clean. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19eb6b32059e4c0351e7a4649cd9de2164ab91d5 |
From ${URL} : >> Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released) >> >> A security issue was detected in a number of IRCd's, including >> UnrealIRCd, regarding the way SASL is implemented. >> >> An attacker can send an SSL fingerprint of his choice to services when >> doing SASL authentication. An attacker can compromise a services >> account if the user has an SSL fingerprint stored in services. >> >> https://github.com/unrealircd/unrealircd/commit/f473e355e1dc422c4f019dbf86bc50ba1a34a766 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.