From $URL : Description A vulnerability has been reported in Atheme, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a NULL-pointer dereference error (modules/nickserv/logout.c) when handling an external logout request and can be exploited to crash Atheme IRC services. The vulnerability is reported in versions 7.0.5. Solution Fixed in the source code repository. Provided and/or discovered by Reported by the vendor. Original Advisory https://github.com/atheme/atheme/commit/1aaa9e8f1d0b0b67b36c2a6318c71beaa7f39194 http://packetstormsecurity.org/files/119635/Atheme-IRC-Services-7.0.5-Denial-Of-Service.html
Maintainers, can you please check if this also affects 6.0.11?
This does not affect 6.0.x. The feature that caused the issue was first implemented in 7.0.0
(In reply to comment #2) > This does not affect 6.0.x. The feature that caused the issue was first > implemented in 7.0.0 Thanks, Jeff!
Any word on getting that patch applied?
this has been resolved with the addition of 7.0.6, affected versions are not in the tree anymore.
Per Ago's initial comment the github repo shows that the commit fixing external logout wasn't included until 7.1.0. https://github.com/atheme/atheme/commit/1aaa9e8f1d0b0b67b36c2a6318c71beaa7f39194 @maintainer, please bump the package. 7.2.6 is available upstream. After the bump please call let us know if you would like to stabilize the package. Thank you.
Still no bump from maintainer(s). Candidate for tree cleaning. Masking. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbd375ecb40b70d324749730bf8dc6eb3e00e01e
This is fixed in 7.0.6, just the commit ago linked to is on the master branch, and so doesn't show the 7.0.6 tag. The project only does development on the master branch; maintenance releases are done on a release branch for that major/minor version, created upon the major/minor's release. https://github.com/atheme/atheme/commits/atheme-services-7.0.6 The commit that fixes the vulnerability on the release/7.0 branch is here: https://github.com/atheme/atheme/commit/ef0561d1f7611c23b312baee74fc16f38ce93977
package.mask entry removed. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88484c9740f9ab2e4774183b7922a7922a0a662e @maintainer(s), please cleanup the vulnerable version in the tree.
Sorry, this should be stabilized and then cleaned. @arches, please test and mark stable =net-irc/atheme-services-7.0.6-r1
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
All vulnerable 7.x ebuilds have been cleaned. Per previous comments the feature that was vulnerable was introduced in the 7.x code base. GLSA Vote: No
