Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 314639 (CVE-2010-1156) - <net-irc/irssi-0.8.15: Multiple vulnerabilities (CVE-2010-{1155,1156})
Summary: <net-irc/irssi-0.8.15: Multiple vulnerabilities (CVE-2010-{1155,1156})
Alias: CVE-2010-1156
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2010-04-11 10:04 UTC by Tobias Heinlein (RETIRED)
Modified: 2010-08-14 14:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2010-04-11 10:04:07 UTC
"This release fixes two security issues: The first being that Irssi didn't check hostname on SSL connections and the other being a hard to exploit remote crash bug."

Sven, can 0.8.15 go stable?
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-22 17:38:51 UTC
Fixing summary.
Sven: Please advise.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-22 17:39:16 UTC
CVE-2010-1155 (
  Irssi before 0.8.15, when SSL is used, does not verify that the
  server hostname matches a domain name in the subject's Common Name
  (CN) field or a Subject Alternative Name field of the X.509
  certificate, which allows man-in-the-middle attackers to spoof IRC
  servers via an arbitrary certificate.

CVE-2010-1156 (
  core/nicklist.c in Irssi before 0.8.15 allows remote attackers to
  cause a denial of service (NULL pointer dereference and application
  crash) via vectors related to an attempted fuzzy nick match at the
  instant that a victim leaves a channel.

Comment 3 Sven Wegener gentoo-dev 2010-04-23 14:00:07 UTC
(In reply to comment #0)
> Sven, can 0.8.15 go stable?

Yes, I've been using it without problems since it has been commited.

Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-23 14:40:59 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-04-23 16:59:17 UTC
Stable for HPPA.
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2010-04-23 17:24:49 UTC
amd64 stable.
Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2010-04-23 18:07:14 UTC
All useflag combinations built,
net-irc/irssi-otr successfully built against it.
-> Looking good on x86.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-04-24 19:59:40 UTC
alpha/arm/ia64/s390/sh/sparc/x86 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2010-04-30 14:22:39 UTC
ppc done
Comment 10 Brent Baude (RETIRED) gentoo-dev 2010-04-30 14:24:15 UTC
ppc64 done; closing as last arch
Comment 11 Tomás Touceda (RETIRED) gentoo-dev 2010-04-30 14:34:08 UTC
This is a security bug, reopening.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 13:33:10 UTC
Vote: no.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:57:57 UTC
NO too, closing.