There was a security update which was just fixed about the bot segfaulting when it receives an empty CTCP in NOTICE and it would be important to update the ebuild ASAP, I also added 2 USE flags for 'uptime' reports and raw 'dns' resolving support which should not be activated all the time.
Created attachment 86455 [details] Bump with segfault fixed and uptime + dns USE flags.
Does security want this? Looks like a good way to DoS the thing to me... ;)
Let's move on! It's been here for a while and did not even make its way to portage yet. (Did I misset severity to minor?)
Hi IRC team, emech seems to have a security issue, please bump an updated ebuild. Jakub: thanks J
Hi IRC team, emech seems to have a security issue, please bump an updated ebuild. Jakub: thanks Jérome: désolé pour le lag :/ . La sévérité est effectivement "minor" :) From http://www.energymech.net/ : "EnergyMech 3.0.2 Contains a critical bugfix. Yes we're still alive. Download it now "
revbumped, security, you need anything else?
Thanks Antarus. (Whereas i'm not sure that the 2.x branch is affected.) x86 & ppc, please mark 3.0.2 stable, thanks in advance
Just seen the new ebuild version pop-up in portage but still does not contains the 'uptime' and 'dns' use flags to allow disabling uptime reports and raw dns resolving, not everyone wants that and I would consider important adding those too. The eBuild I attached is a modified version which only adds those two flags. Thanks.
ppc stable
Seems misplaced in auditing and fixing status whiteboard. x86 please test and mark stable if possible.
x86 done
Time for GLSA vote. I tend to vote NO.
Can't be sure without the source, but from "empty CTCP" I'd vote another "no".
i vote yes : 1. to send an empty CTCP is trivial; 2. it's very worrying for the user (it's not like a Xine DoS: on IRC, you could be banned or akilled if you're rejoining too often. And it pollutes the logs); 3. and many IRC users love to play such stupid games.
I vote YES. DoS on IRC is evil :)
Ok, lets have a GLSA.
Sent as GLSA 200606-26
