From https://www.openwall.com/lists/oss-security/2022/01/30/4: ``` An authentication bypass has been found in certain combinations of InspIRCd and Atheme IRC Services. By abusing a mismatch of expectations between Atheme and InspIRCd, an attacker can start a challenge-response login and then end the IRC handshake in such a way that Atheme considers it to have succeeded. On some Atheme versions, the target account does not need to have challenge-response authentication enabled. # Vulnerable software This vulnerability arises from a combination of two pieces of software. Neither is expected to be vulnerable as part of any other software stack. Atheme prior to commit 4e664c75d0b280a052eb[1] is vulnerable (the potential for shenanigans was noted at the time of this commit, but the combination with InspIRCd was not). This affects the following release series: - 7.1 (unsupported) - 7.2 (fixed in 7.2.12) However, one of the following SASL authentication mechanisms must also be enabled in order to exploit this vulnerability: - ECDSA-NIST256P-CHALLENGE (available in versions 7.1, 7.2, master) - SCRAM-SHA-* (available in master only) - ECDH-X25519-CHALLENGE (available in master only) Atheme releases in the 7.2 series, and 7.2 and later development versions, are vulnerable to the general attack. In Atheme 7.1 only accounts with challenge-response authentication enabled can be targeted. The InspIRCd behaviour that enables this attack was introduced in commit 407b2e004cf66e442771[2] and reverted in 6703b8065ccaa0acb503[3]. This affects the 3.x and 4.x release series. [...] ```
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f264f80b9f955dd7ef8e10d0a0dddcb79ee0dca4 commit f264f80b9f955dd7ef8e10d0a0dddcb79ee0dca4 Author: Wade Cline <wadecline@hotmail.com> AuthorDate: 2022-01-31 00:06:18 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-31 01:00:58 +0000 net-irc/atheme-services: Add 7.2.12 Bug: https://bugs.gentoo.org/832400 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Wade Cline <wadecline@hotmail.com> Closes: https://github.com/gentoo/gentoo/pull/24026 Signed-off-by: Sam James <sam@gentoo.org> net-irc/atheme-services/Manifest | 1 + .../atheme-services/atheme-services-7.2.12.ebuild | 91 ++++++++++++++++++++++ 2 files changed, 92 insertions(+)
Please file a stable bug when ready and have it block this one. Thanks! (You may want to do it immediately if it's working fine for you.)
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9832e9d52ac367e7f1dc1a13d13c6e5a83bc120 commit a9832e9d52ac367e7f1dc1a13d13c6e5a83bc120 Author: Wade Cline <wadecline@hotmail.com> AuthorDate: 2022-02-01 03:38:45 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-03 02:18:01 +0000 net-irc/atheme-services: Drop 7.2.11 Bug: https://bugs.gentoo.org/832400 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Wade Cline <wadecline@hotmail.com> Closes: https://github.com/gentoo/gentoo/pull/24039 Signed-off-by: Sam James <sam@gentoo.org> net-irc/atheme-services/Manifest | 1 - .../atheme-services-7.2.11-r1.ebuild | 91 ---------------------- 2 files changed, 92 deletions(-)
Thanks!
No problem!
I think this one can be closed since versions of net-irc/atheme-services less than 7.2.12 have been dropped.
