From ${URL} : >> This vulnerability allows any attacker to spoof certificate >> fingerprints via crafted SASL messages to the IRCd. This allows any >> user to login as any other user that they know the certificate >> fingerprint of, and that user has services configured to accept SASL >> EXTERNAL login requests for. >> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@ maintainer(s): v2.0.23 which contains the fix is available since 2016-09-03.
Created attachment 464364 [details, diff] inspircd 2.0.23 Bugzie appears to have eaten the emails about this. I never saw this in "bugs assigned to me", because of course, it's assigned to a security@ alias instead of a person that can fix it. Attached is a bump, fully tested (build, run, and client connect) on x86_64 and PPC64.
PR: https://github.com/gentoo/gentoo/pull/4035
Now in repository. Let's wait until 2017-02-27 before we start stabilization.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No