See https://wiki.znc.in/ChangeLog/1.9.1. """ This is a security release to fix CVE-2024-39844: remote code execution vulnerability in modtcl. To mitigate this for existing installations, simply unload the modtcl module for every user, if it's loaded. Note that only users with admin rights can load modtcl at all. Thanks to Johannes Kuhn (DasBrain) for reporting, to glguy for the patch, and to multiple IRC network operators for help with mitigating this on server side before disclosure. """
I've read through the git diff for znc-1.9.0..znc-1.9.1 and compared with the ebuild. It should be safe to just version bump the ebuild to 1.9.1 as-is.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45b50f01229e0996103e007f68beed45194e6239 commit 45b50f01229e0996103e007f68beed45194e6239 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-07-03 19:30:17 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-03 19:30:17 +0000 net-irc/znc: add 1.9.1 Bug: https://bugs.gentoo.org/935422 Signed-off-by: Sam James <sam@gentoo.org> net-irc/znc/Manifest | 1 + net-irc/znc/znc-1.9.1.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+)