| Summary: | <net-irc/inspircd-2.0.23: certificate spoofing through crafted SASL message | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | minor | CC: | slawomir.nizio | ||||
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://www.openwall.com/lists/oss-security/2016/09/05/8 | ||||||
| Whiteboard: | B3 [noglsa/cve] | ||||||
| Package list: |
=net-irc/inspircd-2.0.23
|
Runtime testing required: | --- | ||||
| Attachments: |
|
||||||
@ maintainer(s): v2.0.23 which contains the fix is available since 2016-09-03. Created attachment 464364 [details, diff]
inspircd 2.0.23
Bugzie appears to have eaten the emails about this. I never saw this in "bugs assigned to me", because of course, it's assigned to a security@ alias instead of a person that can fix it.
Attached is a bump, fully tested (build, run, and client connect) on x86_64 and PPC64.
Now in repository. Let's wait until 2017-02-27 before we start stabilization. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Arches and Maintainer(s), Thank you for your work. GLSA Vote: No |
From ${URL} : >> This vulnerability allows any attacker to spoof certificate >> fingerprints via crafted SASL messages to the IRCd. This allows any >> user to login as any other user that they know the certificate >> fingerprint of, and that user has services configured to accept SASL >> EXTERNAL login requests for. >> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.