CVE-2009-4652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4652): The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in src/ngircd/conn.c in ngIRCd 13 and 14, when SSL/TLS support is present and standalone mode is disabled, allow remote attackers to cause a denial of service (application crash) by sending the MOTD command from another server in the same IRC network, possibly related to an array index error.
ngircd has a stable (and likely vulnerable) version on x86 and ppc. Maintainers, are we ok to stabilize an unaffected version? Also, we should remove the vulnerable versions from the tree. Note: 0.12.1 -> 13 is just a versioning scheme change. I think the 0.x versions are also vulnerable.
@net-irc ping
(In reply to comment #1) > ngircd has a stable (and likely vulnerable) version on x86 and ppc. > Maintainers, are we ok to stabilize an unaffected version? Please feel free to stabilize ngircd-17.1.
(In reply to comment #3) > > Please feel free to stabilize ngircd-17.1. Great, thanks (and thanks, Agostino). Arches, please test and mark stable: =net-irc/ngircd-17.1 Target keywords : "ppc x86"
Archtested on x86: Everything fine
x86 stable. Thanks JD.
ppc keywords dropped
Thanks, folks. GLSA Vote: yes.
GLSA vote: NO.
Vote: NO. Closing noglsa.
Actually closing.