From ${URL} : >> This vulnerability allows any attacker to spoof certificate >> fingerprints via crafted SASL messages to the IRCd. This allows any >> user to login as any other user that they know the certificate >> fingerprint of, and that user has services configured to accept SASL >> EXTERNAL login requests for. >> This bug appears more widespread than just InspIRCd, and seems to >> affect most or all other implementations of SASL EXTERNAL, including >> Charybdis and UnrealIRCd. > It seems to also affect Charybdis, which fixed the issue in the > upcoming 3.5.3 release: > > https://github.com/charybdis-ircd/charybdis/commit/818a3fda944b26d4814132cee14cfda4ea4aa824 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
v3.5.3 is the first released version containing the fix.
# Michał Górny <mgorny@gentoo.org> (05 Jun 2017) # (on behalf of Treecleaner project) # Unmaintained in Gentoo. Security vulnerability. # Removal in 30 days. Bug #562896. net-irc/charybdis
commit b6e6234008767ec82ed0fb1642b3f933d94e5f8f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Wed Jul 5 12:32:14 2017 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Wed Jul 5 12:35:23 2017 net-irc/charybdis: Remove last-rited pkg, #562896
All done: Package was removed, repository is clean. No need for a removal GLSA.
