ports/143241: [maintainer-update|patch] irc/ircd-ratbox-devel: Security fix release
moggie
moggie at elasticmind.net
Tue Jan 26 03:20:04 UTC 2010
>Number: 143241
>Category: ports
>Synopsis: [maintainer-update|patch] irc/ircd-ratbox-devel: Security fix release
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 26 03:20:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: moggie
>Release: FreeBSD 7.2-RELEASE-p5 amd64
>Organization:
>Environment:
System: FreeBSD 7.2-RELEASE-p5 FreeBSD 7.2-RELEASE-p5 #0: Thu Dec 3 18:59:41 GMT 2009 amd64
>Description:
A vulnerability has been discovered in the 3.0.x branch of ratbox which affects the '/links' module.
The vulnerability enables a user to trigger an event that can cause the IRCD to crash. This issue has been corrected in the ircd-ratbox-3.0.6 release. All IRCD admins running previous versions are advised to upgrade immediately.
As a temporary work-around, the m_links.so module can be unloaded until the upgrade takes place.
>How-To-Repeat:
>Fix:
--- ircd-ratbox-devel-3.0.6.diff begins here ---
diff -ruN ircd-ratbox-devel.orig/Makefile ircd-ratbox-devel/Makefile
--- ircd-ratbox-devel.orig/Makefile 2010-01-25 20:42:02.000000000 +0000
+++ ircd-ratbox-devel/Makefile 2010-01-25 20:43:53.000000000 +0000
@@ -7,7 +7,7 @@
# ex: ts=8
PORTNAME= ircd-ratbox
-PORTVERSION= 3.0.5
+PORTVERSION= 3.0.6
#PORTREVISION= 2
CATEGORIES= irc ipv6
MASTER_SITES= ftp://ftp.ircd-ratbox.org/pub/ircd-ratbox/testing/ \
diff -ruN ircd-ratbox-devel.orig/distinfo ircd-ratbox-devel/distinfo
--- ircd-ratbox-devel.orig/distinfo 2010-01-25 20:42:02.000000000 +0000
+++ ircd-ratbox-devel/distinfo 2010-01-25 20:44:16.000000000 +0000
@@ -1,3 +1,3 @@
-MD5 (ircd-ratbox-3.0.5.tar.bz2) = 896230a3750e521507607ab9af732e24
-SHA256 (ircd-ratbox-3.0.5.tar.bz2) = 2f91c44db491180c396eccf72d0e7bd9cba366703157c9a63429d8845453d292
-SIZE (ircd-ratbox-3.0.5.tar.bz2) = 1977347
+MD5 (ircd-ratbox-3.0.6.tar.bz2) = 31f4fae4211144188b4b982d6e7d3465
+SHA256 (ircd-ratbox-3.0.6.tar.bz2) = 3acef6a692678d287033c9c7ba3e8d2f4c163d044f3b9859628e55041cb54b74
+SIZE (ircd-ratbox-3.0.6.tar.bz2) = 1977354
--- ircd-ratbox-devel-3.0.6.diff ends here ---
--- vuln.xml.diff begins here ---
--- vuln.xml.orig 2010-01-26 02:58:24.000000000 +0000
+++ vuln.xml 2010-01-26 02:59:19.000000000 +0000
@@ -34,6 +34,45 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="7a53b700-0a1e-11df-9e9c-004095308322">
+ <topic>ircd-ratbox -- Multiple Denial of Service Vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>ircd-ratbox</name>
+ <range><le>2.2.8</le></range>
+ </package>
+ <package>
+ <name>ircd-ratbox-devel</name>
+ <range><le>3.0.5</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Two user-triggerable crashes have been identified in ircd-ratbox's
+ current branches:</p>
+ <blockquote>
+ <p>The first affects the /quote HELP module and allows a user to
+ trigger an IRCD crash on some platforms.</p>
+ <p>The second affects the /links processing module when the
+ flatten_links configuration option is not enabled.</p>
+ <p>Both of these issues have been corrected in the most recent
+ ircd-ratbox-2.2.9 and ircd-ratbox-3.0.6 releases for their
+ respective branches. As a temporary work-around, the m_help.so
+ and m_links.so modules can be unloaded until the IRCD itself can
+ be upgraded.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000891.html</url>
+ <url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000892.html</url>
+ </references>
+ <dates>
+ <discovery>2010-01-26</discovery>
+ <entry>2010-01-26</entry>
+ </dates>
+ </vuln>
+
<vuln vid="848539dc-0458-11df-8dd7-002170daae37">
<topic>dokuwiki -- multiple vulnerabilities</topic>
<affects>
--- vuln.xml.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list