Summary: | <net-irc/quassel-0.12.2: incomplete fix for CVE-2013-4422 (CVE-2015-3427) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | johu, net-irc, patrick, proxy-maint, sputnick |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/04/27/2 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 544230 |
Description
Agostino Sarubbo
2015-04-27 09:26:04 UTC
Lowest version we have left is 0.10, are you sure about the versions? If you actually meant 0.11.1 / 0.12.2 then these versions are in-tree and would need to be stabled. I'd recommend 0.12.2 only and dropping all older. CVE-2015-3427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3427): Quassel before 0.12.2 does not properly re-initialize the database session when the PostgreSQL database is restarted, which allows remote attackers to conduct SQL injection attacks via a \ (backslash) in a message. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4422. Yes you are correct here is the blurb from the upstream blog: ______________________________ Unfortunately, this fix also uncovered a more serious issue that has been around for a long time: restarting a PostgreSQL database while Quassel Core is running would not properly re-initialize the database session inside Quassel, bringing back an old security issue that we had deemed fixed. This forced us to create yet another release, so that's why we are now at version 0.12.2. The new issue is being tracked as CVE-2015-3427. Thanks to Pierre Schweitzer for registering this! http://quassel-irc.org ______________________________ We need to stabilize 0.12.2 when ready. Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself. Yes arch teams please proceed Arches: amd64 arm ppc x86 amd64 stable x86 stable ppc stable Thanks all. Cleanup done. + + 24 Jun 2015; Johannes Huber <johu@gentoo.org> -files/DOS-sec.patch, + -quassel-0.10.0-r1.ebuild, -quassel-0.11.1.ebuild: + Cleanup vulnerable versions, wrt bugs #547884, #544230. + removing arm (no stable keywords) Arches and Maintainer(s), Thank you for your work. GLSA Vote: No GLSA Vote: No |