Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 762673

Summary: net-irc/inspircd: drop old versions 3.4.0 and 2.0.29
Product: Gentoo Linux Reporter: Sadie Powell <sadie>
Component: Current packagesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: ionen, jstein, proxy-maint, sam, wadecline
Priority: Normal Keywords: SECURITY
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=755854
https://bugs.gentoo.org/show_bug.cgi?id=755851
https://bugs.gentoo.org/show_bug.cgi?id=743205
Whiteboard:
Package list:
Runtime testing required: ---

Description Sadie Powell 2020-12-30 19:12:16 UTC 
Hello,

Currently three versions of InspIRCd are packaged by Gentoo: 3.8.1 (latest), 3.4.0, and 2.0.29.

Would it be possible for you to remove the old packages for 3.4.0 and 2.0.29? InspIRCd v2 support ends at the end of 2020 (approx 29 hours from now at the time of filing) and 3.4.0 contains an unpatched security vulnerability so these versions are not really suitable for use anymore.

Thanks,

~Sadie
Comment 1 Jonas Stein gentoo-dev 2020-12-30 20:56:21 UTC 
Thank you for reporting, do you have a link to the vulnerability? I could not find it upstream.
Comment 2 Sadie Powell 2020-12-30 21:00:05 UTC 
(In reply to Jonas Stein from comment #1)
> Thank you for reporting, do you have a link to the vulnerability? I could
> not find it upstream.

Use after free vulnerability in the pgsql module (2020-01): https://docs.inspircd.org/security/2020-01/

Double free vulnerability in the websocket module (2020-02): 
https://docs.inspircd.org/security/2020-01/
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-30 21:16:00 UTC 
This all appears to be covered by the inspircd we already have, and those bugs will necessitate cleanup too. No need for a separate bug for cleanup. Thank you for your attentiveness, in any case.

*** This bug has been marked as a duplicate of bug 755854 ***
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-30 21:22:25 UTC 
They’ll be cleaned up shortly, thank you! (I’m not at a shell or I’d do it now).

Note that while they do need cleaning up, they’re shadowed by newer stable versions (green on packages.gentoo.org) so _shouldn’t_ be installed anyway unless someone goes out of their way to.
Comment 5 Ionen Wolkens gentoo-dev 2020-12-30 21:38:08 UTC 
(In reply to Sam James from comment #4)
> Note that while they do need cleaning up, they’re shadowed by newer stable
> versions (green on packages.gentoo.org) so _shouldn’t_ be installed anyway
> unless someone goes out of their way to.
I wouldn't be surprised if someone is still clinging to v2 due to the configuration changes (I did for a while myself, but that was years ago and migrated since), but yeah it's really time to move on.
Comment 6 Wade Cline 2020-12-31 04:03:07 UTC 
>I wouldn't be surprised if someone is still clinging to v2 due to the configuration changes (I did for a while myself, but that was years ago and migrated since), but yeah it's really time to move on.
I was waiting to remove v2 until it had hit EoL, but this is close enough.