ALL ZNC versions prior to 0.072 have a path traversal bug in core. Users with a valid login are able to write files to all places to which ZNC has write access. This means they could upload and load new modules which do anything imaginabl
Reproducible: Didn't try
please note that 0.072 had a regression which broke webadmin skins with images
0.072 shouldn't be considered being a stable version but 0.074 should be which got released today
Thanks. net-irc: Please bump to 0.074.
Directory traversal vulnerability in ZNC before 0.072 allows remote
attackers to overwrite arbitrary files via a crafted DCC SEND request.
+*znc-0.074 (12 Aug 2009)
+ 12 Aug 2009; Alex Legler <email@example.com> -znc-0.060.ebuild,
+ -znc-0.070.ebuild, +znc-0.074.ebuild, metadata.xml:
+ Non-maintainer commit: Version bump for security bug 278684. Removing
+ unneded vulnerable versions. Adding local "ares" USE flag for
+ newly-introduced support for c-ares in 0.074.
Arches, please test and mark stable:
Target keywords : "amd64 x86"
amd64 stable, all arches done.
GLSA request filed.
GLSA 200909-17, thanks everyone.