Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 762673 - net-irc/inspircd: drop old versions 3.4.0 and 2.0.29
Summary: net-irc/inspircd: drop old versions 3.4.0 and 2.0.29
Status: RESOLVED DUPLICATE of bug 755854
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords: SECURITY
Depends on:
Blocks:
 
Reported: 2020-12-30 19:12 UTC by Sadie Powell
Modified: 2020-12-31 04:03 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sadie Powell 2020-12-30 19:12:16 UTC 
Hello,

Currently three versions of InspIRCd are packaged by Gentoo: 3.8.1 (latest), 3.4.0, and 2.0.29.

Would it be possible for you to remove the old packages for 3.4.0 and 2.0.29? InspIRCd v2 support ends at the end of 2020 (approx 29 hours from now at the time of filing) and 3.4.0 contains an unpatched security vulnerability so these versions are not really suitable for use anymore.

Thanks,

~Sadie
Comment 1 Jonas Stein gentoo-dev 2020-12-30 20:56:21 UTC 
Thank you for reporting, do you have a link to the vulnerability? I could not find it upstream.
Comment 2 Sadie Powell 2020-12-30 21:00:05 UTC 
(In reply to Jonas Stein from comment #1)
> Thank you for reporting, do you have a link to the vulnerability? I could
> not find it upstream.

Use after free vulnerability in the pgsql module (2020-01): https://docs.inspircd.org/security/2020-01/

Double free vulnerability in the websocket module (2020-02): 
https://docs.inspircd.org/security/2020-01/
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-30 21:16:00 UTC 
This all appears to be covered by the inspircd we already have, and those bugs will necessitate cleanup too. No need for a separate bug for cleanup. Thank you for your attentiveness, in any case.

*** This bug has been marked as a duplicate of bug 755854 ***
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-30 21:22:25 UTC 
They’ll be cleaned up shortly, thank you! (I’m not at a shell or I’d do it now).

Note that while they do need cleaning up, they’re shadowed by newer stable versions (green on packages.gentoo.org) so _shouldn’t_ be installed anyway unless someone goes out of their way to.
Comment 5 Ionen Wolkens gentoo-dev 2020-12-30 21:38:08 UTC 
(In reply to Sam James from comment #4)
> Note that while they do need cleaning up, they’re shadowed by newer stable
> versions (green on packages.gentoo.org) so _shouldn’t_ be installed anyway
> unless someone goes out of their way to.
I wouldn't be surprised if someone is still clinging to v2 due to the configuration changes (I did for a while myself, but that was years ago and migrated since), but yeah it's really time to move on.
Comment 6 Wade Cline 2020-12-31 04:03:07 UTC 
>I wouldn't be surprised if someone is still clinging to v2 due to the configuration changes (I did for a while myself, but that was years ago and migrated since), but yeah it's really time to move on.
I was waiting to remove v2 until it had hit EoL, but this is close enough.