1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3226-1] inspircd security update

    From Sebastien Delafond@1:229/2 to All on Wed Apr 15 17:50:03 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3226-1 [email protected] http://www.debian.org/security/ Sebastien Delafond
    April 15, 2015 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : inspircd
    Debian Bug : 780880

    [email protected] discovered several problems in inspircd, an IRC daemon:

    - an incomplete patch for CVE-2012-1836 failed to adequately resolve
    the problem where maliciously crafted DNS requests could lead to
    remote code execution through a heap-based buffer overflow.

    - the incorrect processing of specific DNS packets could trigger an
    infinite loop, thus resulting in a denial of service.

    For the stable distribution (wheezy), this problem has been fixed in
    version 2.0.5-1+deb7u1.

    For the upcoming stable distribution (jessie) and unstable
    distribution (sid), this problem has been fixed in version 2.0.16-1.

    We recommend that you upgrade your inspircd packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQEcBAEBCAAGBQJVLoRHAAoJEBC+iYPz1Z1kO6wIAL9ONDnBUaddsmnW8wMvBScS G9Lx4gnP6+3zh9MS3h+c71udMwjqDntoHmZ214Dlc8dDT2o2XDb1ATxbtkdW5oNA UYTJgrBlwWFeeR5p7tliIwEZVviUULb52RIQUUNzEd/vKgXuOvluIBYPnln2wulw o81qAVs+ObUqohEFk7H2/SSkgbPNkqjmdgpVIDGmQNoXOWzKV65q7RBWXqLRYb4B 2ujGpt9YEtlzw2Elnkeb7ygwZWDnXcLwOX3r6EITWEJXBhNA0Z4tCcBL/N6tIbZf xjJt5yey+QudxHr8GfOfk9Fccicueh7fSgPRqGvS23BF8tGVd4Bo9ijsiz0tqUA=
    =G6c1
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Cronus@1:229/2 to Sebastien Delafond on Wed Apr 15 18:20:02 2015
    XPost: linux.debian.security
    From: [email protected]

    --001a11c34424e800780513c56de4
    Content-Type: text/plain; charset=UTF-8

    I would just like to point out this is ONLY applied to debian. InspIRCd
    itself has fixed this 3 years ago, and until now debian refused to fix this
    in their repo.

    On Wed, Apr 15, 2015 at 10:42 AM, Sebastien Delafond <[email protected]> wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3226-1 [email protected] http://www.debian.org/security/ Sebastien Delafond April 15, 2015 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : inspircd
    Debian Bug : 780880

    [email protected] discovered several problems in inspircd, an IRC daemon:

    - an incomplete patch for CVE-2012-1836 failed to adequately resolve
    the problem where maliciously crafted DNS requests could lead to
    remote code execution through a heap-based buffer overflow.

    - the incorrect processing of specific DNS packets could trigger an
    infinite loop, thus resulting in a denial of service.

    For the stable distribution (wheezy), this problem has been fixed in
    version 2.0.5-1+deb7u1.

    For the upcoming stable distribution (jessie) and unstable
    distribution (sid), this problem has been fixed in version 2.0.16-1.

    We recommend that you upgrade your inspircd packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQEcBAEBCAAGBQJVLoRHAAoJEBC+iYPz1Z1kO6wIAL9ONDnBUaddsmnW8wMvBScS G9Lx4gnP6+3zh9MS3h+c71udMwjqDntoHmZ214Dlc8dDT2o2XDb1ATxbtkdW5oNA UYTJgrBlwWFeeR5p7tliIwEZVviUULb52RIQUUNzEd/vKgXuOvluIBYPnln2wulw o81qAVs+ObUqohEFk7H2/SSkgbPNkqjmdgpVIDGmQNoXOWzKV65q7RBWXqLRYb4B 2ujGpt9YEtlzw2Elnkeb7ygwZWDnXcLwOX3r6EITWEJXBhNA0Z4tCcBL/N6tIbZf xjJt5yey+QudxHr8GfOfk9Fccicueh7fSgPRqGvS23BF8tGVd4Bo9ijsiz0tqUA=
    =G6c1
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact
    [email protected]
    Archive: https://lists.debian.org/[email protected]



    --001a11c34424e800780513c56de4
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <div dir="ltr">I would just like to point out this is ONLY applied to debian. InspIRCd itself has fixed this 3 years ago, and until now debian refused to fix this in their repo.</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 15,
    2015 at 10:42 AM, Sebastien Delafond <span dir="ltr">&lt;<a href="mailto:[email protected]" target="_blank">[email protected]</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----
    BEGIN PGP SIGNED MESSAGE-----<br>
    Hash: SHA256<br>

    - -------------------------------------------------------------------------<br> Debian Security Advisory DSA-3226-1                   <a href="mailto:[email protected]">[email protected]</a><br>
    <a href="http://www.debian.org/security/" target="_blank">http://www.debian.org/security/</a>                        Sebastien Delafond<br>
    April 15, 2015                         <a href="http://www.debian.org/security/faq" target="_blank">http://www.debian.org/security/faq</a><br>
    - -------------------------------------------------------------------------<br>

    Package        : inspircd<br>
    Debian Bug     : 780880<br>

    <a href="mailto:[email protected]">[email protected]</a> discovered several problems in inspircd, an IRC daemon:<br>

      - an incomplete patch for CVE-2012-1836 failed to adequately resolve<br>
        the problem where maliciously crafted DNS requests could lead to<br>
        remote code execution through a heap-based buffer overflow.<br>

      - the incorrect processing of specific DNS packets could trigger an<br>
        infinite loop, thus resulting in a denial of service.<br>

    For the stable distribution (wheezy), this problem has been fixed in<br> version 2.0.5-1+deb7u1.<br>

    For the upcoming stable distribution (jessie) and unstable<br>
    distribution (sid), this problem has been fixed in version 2.0.16-1.<br>

    We recommend that you upgrade your inspircd packages.<br>

    Further information about Debian Security Advisories, how to apply<br>
    these updates to your system and frequently asked questions can be<br>
    found at: <a href="https://www.debian.org/security/" target="_blank">https://www.debian.org/security/</a><br>


    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)