CVE-2008-7159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7159): The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string.
CVE-2008-7159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7159): The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string. CVE-2008-7160 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7160): The silc_http_server_parse function in lib/silchttp/silchttpserver.c in the internal HTTP server in silcd in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.9 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted Content-Length header, related to incorrect use of a %lu format string. CVE-2009-3051 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3051): Multiple format string vulnerabilities in lib/silcclient/client_entry.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client before 1.1.8, allow remote attackers to execute arbitrary code via format string specifiers in a nickname field, related to the (1) silc_client_add_client, (2) silc_client_update_client, and (3) silc_client_nickname_format functions.
*** Bug 280474 has been marked as a duplicate of this bug. ***
CVE-2009-3163 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3163): Multiple format string vulnerabilities in lib/silcclient/command.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.10, and SILC Client 1.1.8 and earlier, allow remote attackers to execute arbitrary code via format string specifiers in a channel name, related to (1) silc_client_command_topic, (2) silc_client_command_kick, (3) silc_client_command_leave, and (4) silc_client_command_users.
net-irc: *ping*
+*silc-toolkit-1.1.10 (17 Apr 2010) + + 17 Apr 2010; Lars Wendler <polynomial-c@gentoo.org> + +silc-toolkit-1.1.10.ebuild: + non-maintainer commit: version bump for security bug #284561 + Converted ebuild to EAPI-2 and did some cleanups but there are still some + QA warnings about LDFLAGS. +
*silc-client-1.1.8 (19 Apr 2010) 19 Apr 2010; Lars Wendler <polynomial-c@gentoo.org> +silc-client-1.1.8.ebuild, +files/silc-client-1.1.8-docdir.patch: non-maintainer commit: version bump for security bug #284561 Converted ebuild to EAPI-2 and did some cleanups but there are still some QA warnings about LDFLAGS.
Arches, please test and mark stable: =net-im/silc-toolkit-1.1.10 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =net-im/silc-client-1.1.8 Target keywords : "amd64 ppc sparc x86"
I tested both packages on x86, they seem to be fine.
x86 stable
Stable for HPPA.
alpha/arm/ia64/sparc stable
amd64 stable
ppc done
ppc64 done too
glsa request filed
GLSA 201006-07