Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 952940

Summary: net-irc/inspircd-4.X potential denial of service by privileged user
Product: Gentoo Security Reporter: Wade Cline <wadecline>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: UNCONFIRMED ---    
Severity: minor CC: ajak, wadecline
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---

Description Wade Cline 2025-03-30 23:15:42 UTC 
The 4.X series of InspIRCd contains a vulnerability where a server operator with a custom connect class can be used in order to remotely crash the InspIRCd server.  Details: https://docs.inspircd.org/security/2025-01/

Note that this vulnerability is not expected to affect most configurations.  The vulnerability is fixed in 4.7.0.  PR for 4.7.0: https://github.com/gentoo/gentoo/pull/41394
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2025-03-30 23:38:31 UTC 
Thank you! For the purposes of targeting, are we planning on stabling 4.x any time soon or are we maintaining 3.x and 4.x as separate release lines?
Comment 2 Wade Cline 2025-03-30 23:43:06 UTC 
I'm planning on stabilizing 4.X soon and maintaining 3.X until EoY 2025 when upstream ends it.  Since no ebuild in 4.X has yet been stabilized I think merging unstable 4.7.0 and then stabilizing it in 30 days will be sufficient.

Would it makes sense to drop 4.6.0 early?  I normally give users 30 days before dropping the old.