Some vulnerabilities have been reported in ZNC, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to ZNC not correctly handling certain exceptions related to "substr()" calls, which can be exploited to crash ZNC by e.g. sending a "PING" command without parameters or connecting to a malicious IRC server. The vulnerabilities are reported in version 0.092. Other versions may also be affected. http://znc.svn.sourceforge.net/viewvc/znc?view=revision&revision=2093 http://znc.svn.sourceforge.net/viewvc/znc?view=revision&revision=2095
added patch in =net-irc/znc-0.092-r1, using the upstream commits reported. wired * gentoo-x86/net-irc/znc/ (files/znc-0.092-dos-fix.patch ChangeLog znc-0.092-r1.ebuild): fixed security bug #332535
Arches, please test and mark stable: =net-irc/znc-0.094 Target keywords : "amd64 x86"
amd64 done
x86 stable, all arches done
CVE-2010-2812 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2812): Client.cpp in ZNC 0.092 allows remote attackers to cause a denial of service (exception and daemon crash) via a PING command that lacks an argument. CVE-2010-2934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2934): Multiple unspecified vulnerabilities in ZNC 0.092 allow remote attackers to cause a denial of service (exception and daemon crash) via unknown vectors related to "unsafe substr() calls."
GLSA vote: NO.
no too, closing.