From ${URL} : Description Two vulnerabilities have been reported in UnrealIRCd, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) An unspecified NULL pointer dereference error can be exploited to cause a crash. 2) An unspecified use-after-free error can be exploited to cause a crash. The vulnerabilities are reported in versions 3.2.10 and 3.2.10.1. Solution: Update to version 3.2.10.2. Provided and/or discovered by: Reported by the vendor. Original Advisory: http://forums.unrealircd.com/viewtopic.php?f=2&t=8221 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I’ve bumped to unrealircd-3.2.10.2, though I left older versions in. What next? ;-)
Thank you Nathan, Arches, please test and mark stable: =net-irc/unrealircd-3.2.10.2 Target Keywords : "amd64 ppc x86"
amd64 stable
x86 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
I’ve dropped =unrealircd-3.2.10.1 which has the security flaw.
Thank you. GLSA vote: no.
GLSA vote: no Closing noglsa
CVE-2013-7384 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7384): UnrealIRCd 3.2.10 before 3.2.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors, related to SSL. NOTE: this issue was SPLIT from CVE-2013-6413 per ADT2 due to different vulnerability types. CVE-2013-6413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6413): Use-after-free vulnerability in UnrealIRCd 3.2.10 before 3.2.10.2 allows remote attackers to cause a denial of service (crash) via unspecified vectors. NOTE: this identifier was SPLIT per ADT2 due to different vulnerability types. CVE-2013-7384 was assigned for the NULL pointer dereference.