Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593294 (CVE-2016-7144) - <net-irc/unrealircd-{3.2.10.7,4.0.6}: certificate spoofing through crafted SASL message
Summary: <net-irc/unrealircd-{3.2.10.7,4.0.6}: certificate spoofing through crafted SA...
Status: RESOLVED FIXED
Alias: CVE-2016-7144
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-09 13:46 UTC by Agostino Sarubbo
Modified: 2016-11-21 03:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-09 13:46:14 UTC
From ${URL} :

>> Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)
>> 
>> A security issue was detected in a number of IRCd's, including
>> UnrealIRCd, regarding the way SASL is implemented.
>> 
>> An attacker can send an SSL fingerprint of his choice to services when
>> doing SASL authentication. An attacker can compromise a services
>> account if the user has an SSL fingerprint stored in services.
>> 
>> https://github.com/unrealircd/unrealircd/commit/f473e355e1dc422c4f019dbf86bc50ba1a34a766



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev 2016-09-11 14:07:38 UTC
unrealircd-3.2.10.7 needs to be stabilized and unrealircd-3.2.10.4 dropped. Please go ahead.

4.x has never been stable yet so I bumped it without keeping the old version.
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-09-12 23:26:11 UTC
@ Arches,

please test and mark stable: =net-irc/unrealircd-3.2.10.7
Targeted stable KEYWORDS: amd64 x86 ppc
Comment 3 Agostino Sarubbo gentoo-dev 2016-09-13 12:03:13 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-09-29 09:07:29 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-09-29 13:09:09 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-11 12:54:01 UTC
@maintainer(s), please drop 3.2.10.4 so we can close.

GLSA Vote: No
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-21 03:11:46 UTC
Maintainer currently without commit access.  Tree is clean.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19eb6b32059e4c0351e7a4649cd9de2164ab91d5