Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 785838 - <net-irc/oragono-2.6.1: Authentication bypass
Summary: <net-irc/oragono-2.6.1: Authentication bypass
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-26 14:24 UTC by Sam James
Modified: 2021-04-26 15:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-26 14:24:06 UTC 
From https://github.com/oragono/oragono/releases/tag/v2.6.1:

"Oragono 2.6.1 is a bugfix release, fixing a security issue that is critical for some private server configurations. We regret the oversight.

The issue affects two classes of server configuration:

Private servers that use server.password (i.e., the PASS command) for protection. If accounts.registration.allow-before-connect is enabled, the REGISTER command can be used to bypass authentication. Affected operators should set this field to false, or upgrade to 2.6.1, which disallows the insecure configuration. (If the field does not appear in the configuration file, the configuration is secure since the value defaults to false when unset.)

Private servers that use accounts.require-sasl for protection. If these servers do not additionally set accounts.registration.enabled to false, the REGISTER command can potentially be used to bypass authentication. Affected operators should set accounts.registration.enabled to false; this recommendation appeared in the operator manual but was not emphasized sufficiently. (Configurations that require SASL but allow open registration are potentially valid, e.g., in the case of public servers that require everyone to use a registered account; accordingly, Oragono 2.6.1 continues to permit such configurations.)
This release includes no changes to the config file format or the database."
Comment 1 Larry the Git Cow gentoo-dev 2021-04-26 15:37:34 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81f5d0c931bbbaa54976dc1b7af77034774faeb6

commit 81f5d0c931bbbaa54976dc1b7af77034774faeb6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-04-26 14:25:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-04-26 15:37:17 +0000

    net-irc/oragono: drop 2.5.1, 2.6.0 (security cleanup)
    
    Bug: https://bugs.gentoo.org/785838
    Signed-off-by: Sam James <sam@gentoo.org>

 net-irc/oragono/Manifest             |  2 --
 net-irc/oragono/oragono-2.5.1.ebuild | 68 ------------------------------------
 net-irc/oragono/oragono-2.6.0.ebuild | 68 ------------------------------------
 3 files changed, 138 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62d86a40c64b328d2f153250440bb2e1827fce63

commit 62d86a40c64b328d2f153250440bb2e1827fce63
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-04-26 14:24:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-04-26 15:37:16 +0000

    net-irc/oragono: add 2.6.1
    
    Bug: https://bugs.gentoo.org/785838
    Signed-off-by: Sam James <sam@gentoo.org>

 net-irc/oragono/Manifest             |  1 +
 net-irc/oragono/oragono-2.6.1.ebuild | 68 ++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)