The version of InspIRCd currently in portage ~x86 and ~amd64 (as of Sun 30th July 2006) has a vulnerability whereby if the m_timedbans.so module is loaded, a remote user can cause the irc server to consume large amounts of CPU time by exploiting a flaw in this module. To resolve this issue, users should unload m_timedbans.so or upgrade. The purpose of this bug report is twofold, firstly to inform the gentoo developers of this vulnerability, and secondly to inform the developers of a new version available which fixes this problem, available at: http://prdownloads.sourceforge.net/inspircd/InspIRCd-1.0.6.tar.bz2?download (sourceforge.net) Thanks for your time.
As proxy-maintainer of the package, I see no problem with bumping the version. 1.0.6 runs fine with my test config, anyhow.
Bumped in CVS. Please CC me the next time.
(In reply to comment #2) > Bumped in CVS. Please CC me the next time. Err, 1/ It's security's job to CC maintainers 2/ You are not mentioned anywhere in metadata.xml, hard to CC then... 3/ Also, it's security job to resolve security bugs, AFAIK. @Craig: Please, don't security-restrict bugs assigned to bug wranglers, they go to nowhere land if you do it. Leave those checkboxes alone. Thanks.
(In reply to comment #3) > 2/ You are not mentioned anywhere in metadata.xml, hard to CC then... <description>Indirectly maintaining through hansmi@gentoo.org</description> I would say that's mentioned enough. > 3/ Also, it's security job to resolve security bugs, AFAIK. Okay, I didn't notice it was assigned to security, because I was pointed to this bug by William Pitcock on IRC. Craig is the upstream dev of inspircd, and I'm in contact with both him and William. Just as an info.
Thanks, closing without GLSA since this was never stable.