See https://wiki.znc.in/ChangeLog/1.9.1. """ This is a security release to fix CVE-2024-39844: remote code execution vulnerability in modtcl. To mitigate this for existing installations, simply unload the modtcl module for every user, if it's loaded. Note that only users with admin rights can load modtcl at all. Thanks to Johannes Kuhn (DasBrain) for reporting, to glguy for the patch, and to multiple IRC network operators for help with mitigating this on server side before disclosure. """
I've read through the git diff for znc-1.9.0..znc-1.9.1 and compared with the ebuild. It should be safe to just version bump the ebuild to 1.9.1 as-is.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45b50f01229e0996103e007f68beed45194e6239 commit 45b50f01229e0996103e007f68beed45194e6239 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-07-03 19:30:17 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-03 19:30:17 +0000 net-irc/znc: add 1.9.1 Bug: https://bugs.gentoo.org/935422 Signed-off-by: Sam James <sam@gentoo.org> net-irc/znc/Manifest | 1 + net-irc/znc/znc-1.9.1.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c26479fb378aedb5634d1fae755c460a1b2da823 commit c26479fb378aedb5634d1fae755c460a1b2da823 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-24 05:14:03 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-24 05:16:48 +0000 [ GLSA 202409-23 ] ZNC: Remote Code Execution Bug: https://bugs.gentoo.org/935422 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-23.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48c391750022adf7604e8ea1cac2188bd8028b13 commit 48c391750022adf7604e8ea1cac2188bd8028b13 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-12-02 06:00:28 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-12-02 06:03:41 +0000 net-irc/znc: drop 1.8.2-r2, 1.9.0 Bug: https://bugs.gentoo.org/935422 Signed-off-by: John Helmert III <ajak@gentoo.org> net-irc/znc/Manifest | 3 - net-irc/znc/files/znc-1.8.2-add-libera.patch | 55 ----- .../znc/files/znc-1.8.2-fix-odr-violation.patch | 56 ----- net-irc/znc/files/znc-1.8.2-fix-python-3.10.patch | 31 --- net-irc/znc/files/znc-1.8.2-fix-swig-2.patch | 123 ---------- net-irc/znc/files/znc-1.8.2-fix-swig.patch | 43 ---- .../znc/files/znc-1.8.2-fix-systemd-datadir.patch | 23 -- ....9.0-skip-modperl-modpython-tests-cleaner.patch | 248 --------------------- net-irc/znc/znc-1.8.2-r2.ebuild | 197 ---------------- net-irc/znc/znc-1.9.0.ebuild | 199 ----------------- 10 files changed, 978 deletions(-)