Debian Bug report logs -
#836706
inspircd: CVE-2016-7142: certificate fingerprint spoofing through crafted SASL messages
Reported by: Antoine Beaupré <anarcat@debian.org>
Date: Sun, 4 Sep 2016 21:39:01 UTC
Severity: critical
Tags: fixed-upstream, security, upstream
Found in versions inspircd/2.0.5-1, inspircd/2.0.5-1+deb7u2
Fixed in versions inspircd/2.0.23-1, inspircd/2.0.17-1+deb8u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian IRC Team <pkg-irc-maintainers@lists.alioth.debian.org>
:
Bug#836706
; Package src:inspircd
.
(Sun, 04 Sep 2016 21:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupré <anarcat@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian IRC Team <pkg-irc-maintainers@lists.alioth.debian.org>
.
(Sun, 04 Sep 2016 21:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: inspircd
Version: 2.0.5-1+deb7u2
Severity: critical
Tags: security
inspircd published 2.0.23 that fixes an issue with SASL
authentication. The details are here:
http://www.inspircd.org/2016/09/03/v2023-released.html
All versions are affected.
Upstream hasn't requested a CVE yet. I will contact oss-security to
make sure that happens.
It seems to also affect Charybdis, which fixed the issue in the
upcoming 3.5.3 release:
https://github.com/charybdis-ircd/charybdis/commit/818a3fda944b26d4814132cee14cfda4ea4aa824
I will take care of the 3.5.3 upload or backporting those patches to
3.5.2 and 3.4 (if relevant) as soon as I can.
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (1, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.6.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Marked as found in versions inspircd/2.0.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 05 Sep 2016 04:39:04 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 05 Sep 2016 04:39:07 GMT) (full text, mbox, link).
Bug 836706 cloned as bug 836714
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 05 Sep 2016 04:42:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian IRC Team <pkg-irc-maintainers@lists.alioth.debian.org>
:
Bug#836706
; Package src:inspircd
.
(Mon, 05 Sep 2016 20:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to James Lu <bitflip3@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian IRC Team <pkg-irc-maintainers@lists.alioth.debian.org>
.
(Mon, 05 Sep 2016 20:45:06 GMT) (full text, mbox, link).
Message #16 received at 836706@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Just to narrow things down a bit, the relevant fix for InspIRCd 2.0 is
this commit
https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a
Best,
James
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian IRC Team <pkg-irc-maintainers@lists.alioth.debian.org>
:
Bug#836706
; Package src:inspircd
.
(Mon, 05 Sep 2016 22:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Guillaume Delacour <gui@iroqwa.org>
:
Extra info received and forwarded to list. Copy sent to Debian IRC Team <pkg-irc-maintainers@lists.alioth.debian.org>
.
(Mon, 05 Sep 2016 22:06:04 GMT) (full text, mbox, link).
Message #21 received at 836706@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Le 05/09/2016 à 22:41, James Lu a écrit :
> Hi,
Hi,
>
> Just to narrow things down a bit, the relevant fix for InspIRCd 2.0 is
> this commit
> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a
Yes, i've talked to upstream a few hours ago to include this particular
fix to 2.0.17; upload of 2.0.23 will follow to unstable.
>
> Best,
> James
>
--
Guillaume Delacour
[signature.asc (application/pgp-signature, attachment)]
Changed Bug title to 'inspircd: CVE-2016-7142: certificate fingerprint spoofing through crafted SASL messages' from 'certificate spoofing via crafted SASL messages'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 06 Sep 2016 04:33:06 GMT) (full text, mbox, link).
Marked as fixed in versions inspircd/2.0.23-1.
Request was from gui@iroqwa.org
to control@bugs.debian.org
.
(Tue, 06 Sep 2016 18:54:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian IRC Team <pkg-irc-maintainers@lists.alioth.debian.org>
:
Bug#836706
; Package src:inspircd
.
(Tue, 06 Sep 2016 21:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Guillaume Delacour <gui@iroqwa.org>
:
Extra info received and forwarded to list. Copy sent to Debian IRC Team <pkg-irc-maintainers@lists.alioth.debian.org>
.
(Tue, 06 Sep 2016 21:33:07 GMT) (full text, mbox, link).
Message #30 received at 836706@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Please see attached the debdiff.
Also, please note that i can't upload myself to security-master as i'm
not a DD nor DM.
Le 06/09/2016 à 00:02, Guillaume Delacour a écrit :
>
>
> Le 05/09/2016 à 22:41, James Lu a écrit :
>> Hi,
>
> Hi,
>
>>
>> Just to narrow things down a bit, the relevant fix for InspIRCd 2.0 is
>> this commit
>> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a
>
> Yes, i've talked to upstream a few hours ago to include this particular
> fix to 2.0.17; upload of 2.0.23 will follow to unstable.
>
>>
>> Best,
>> James
>>
>
--
Guillaume Delacour
[inspircd_2.0.17-1+deb8u2.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Marked as fixed in versions inspircd/2.0.17-1+deb8u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 08 Sep 2016 17:43:14 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 08 Sep 2016 17:43:15 GMT) (full text, mbox, link).
Notification sent
to Antoine Beaupré <anarcat@debian.org>
:
Bug acknowledged by developer.
(Thu, 08 Sep 2016 17:43:16 GMT) (full text, mbox, link).
Message sent on
to Antoine Beaupré <anarcat@debian.org>
:
Bug#836706.
(Thu, 08 Sep 2016 17:43:18 GMT) (full text, mbox, link).
Message #39 received at 836706-submitter@bugs.debian.org (full text, mbox, reply):
close 836706 2.0.17-1+deb8u2
thanks
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 10 Oct 2016 07:25:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:05:19 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.