From ${URL} : It was found that quasselcore is vulnerable to a denial of service attack by unauthenticated clients. The protocol negotiation did not take into account lack of a match, in which case PeerFactory::createPeer returns a nullptr, which is immediately dereferenced [1]. This issue was introduced in commit d1bf207 [2] (version 0.10.0 and later), and fixed in commit e678873 [3] (tagged as version 0.12.4). Can a CVE be assigned to this issue? [1] https://github.com/quassel/quassel/blob/f64ac93/src/core/coreauthhandler.cpp#L100 [2] https://github.com/quassel/quassel/commit/d1bf207 [3] https://github.com/quassel/quassel/commit/e678873 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Arch teams, please test and stabilise net-irc/quassel-0.12.4. Target KEYWORDS="amd64 ppc x86". Thanks!
(In reply to Michael Palimaka (kensington) from comment #1) > Arch teams, please test and stabilise net-irc/quassel-0.12.4. > > Target KEYWORDS="amd64 ppc x86". > > Thanks! Apologies for the noise, I didn't realise there was already a separate stabilisation bug.
Stabilisation and cleanup completed.
Maintainer(s), Thank you for cleanup! GLSA Vote: No Closing noglsa.