Date: Tue, 26 Jan 2010 03:13:46 +0000 (GMT) From: moggie <moggie@elasticmind.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/143241: [maintainer-update|patch] irc/ircd-ratbox-devel: Security fix release Message-ID: <20100126031346.82C9D26D2A1@mail.elasticmind.net> Resent-Message-ID: <201001260320.o0Q3K39m094807@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 143241 >Category: ports >Synopsis: [maintainer-update|patch] irc/ircd-ratbox-devel: Security fix release >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Tue Jan 26 03:20:03 UTC 2010 >Closed-Date: >Last-Modified: >Originator: moggie >Release: FreeBSD 7.2-RELEASE-p5 amd64 >Organization: >Environment: System: FreeBSD 7.2-RELEASE-p5 FreeBSD 7.2-RELEASE-p5 #0: Thu Dec 3 18:59:41 GMT 2009 amd64 >Description: A vulnerability has been discovered in the 3.0.x branch of ratbox which affects the '/links' module. The vulnerability enables a user to trigger an event that can cause the IRCD to crash. This issue has been corrected in the ircd-ratbox-3.0.6 release. All IRCD admins running previous versions are advised to upgrade immediately. As a temporary work-around, the m_links.so module can be unloaded until the upgrade takes place. >How-To-Repeat: >Fix: --- ircd-ratbox-devel-3.0.6.diff begins here --- diff -ruN ircd-ratbox-devel.orig/Makefile ircd-ratbox-devel/Makefile --- ircd-ratbox-devel.orig/Makefile 2010-01-25 20:42:02.000000000 +0000 +++ ircd-ratbox-devel/Makefile 2010-01-25 20:43:53.000000000 +0000 @@ -7,7 +7,7 @@ # ex: ts=8 PORTNAME= ircd-ratbox -PORTVERSION= 3.0.5 +PORTVERSION= 3.0.6 #PORTREVISION= 2 CATEGORIES= irc ipv6 MASTER_SITES= ftp://ftp.ircd-ratbox.org/pub/ircd-ratbox/testing/ \ diff -ruN ircd-ratbox-devel.orig/distinfo ircd-ratbox-devel/distinfo --- ircd-ratbox-devel.orig/distinfo 2010-01-25 20:42:02.000000000 +0000 +++ ircd-ratbox-devel/distinfo 2010-01-25 20:44:16.000000000 +0000 @@ -1,3 +1,3 @@ -MD5 (ircd-ratbox-3.0.5.tar.bz2) = 896230a3750e521507607ab9af732e24 -SHA256 (ircd-ratbox-3.0.5.tar.bz2) = 2f91c44db491180c396eccf72d0e7bd9cba366703157c9a63429d8845453d292 -SIZE (ircd-ratbox-3.0.5.tar.bz2) = 1977347 +MD5 (ircd-ratbox-3.0.6.tar.bz2) = 31f4fae4211144188b4b982d6e7d3465 +SHA256 (ircd-ratbox-3.0.6.tar.bz2) = 3acef6a692678d287033c9c7ba3e8d2f4c163d044f3b9859628e55041cb54b74 +SIZE (ircd-ratbox-3.0.6.tar.bz2) = 1977354 --- ircd-ratbox-devel-3.0.6.diff ends here --- --- vuln.xml.diff begins here --- --- vuln.xml.orig 2010-01-26 02:58:24.000000000 +0000 +++ vuln.xml 2010-01-26 02:59:19.000000000 +0000 @@ -34,6 +34,45 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="7a53b700-0a1e-11df-9e9c-004095308322"> + <topic>ircd-ratbox -- Multiple Denial of Service Vulnerabilities</topic> + <affects> + <package> + <name>ircd-ratbox</name> + <range><le>2.2.8</le></range> + </package> + <package> + <name>ircd-ratbox-devel</name> + <range><le>3.0.5</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Two user-triggerable crashes have been identified in ircd-ratbox's + current branches:</p> + <blockquote> + <p>The first affects the /quote HELP module and allows a user to + trigger an IRCD crash on some platforms.</p> + <p>The second affects the /links processing module when the + flatten_links configuration option is not enabled.</p> + <p>Both of these issues have been corrected in the most recent + ircd-ratbox-2.2.9 and ircd-ratbox-3.0.6 releases for their + respective branches. As a temporary work-around, the m_help.so + and m_links.so modules can be unloaded until the IRCD itself can + be upgraded.</p> + </blockquote> + </body> + </description> + <references> + <url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000891.html</url>; + <url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000892.html</url>; + </references> + <dates> + <discovery>2010-01-26</discovery> + <entry>2010-01-26</entry> + </dates> + </vuln> + <vuln vid="848539dc-0458-11df-8dd7-002170daae37"> <topic>dokuwiki -- multiple vulnerabilities</topic> <affects> --- vuln.xml.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100126031346.82C9D26D2A1>