[Secure-testing-team] Bug#836706: certificate spoofing via crafted SASL messages

Antoine Beaupré anarcat at debian.org
Sun Sep 4 21:34:33 UTC 2016


Source: inspircd
Version: 2.0.5-1+deb7u2
Severity: critical
Tags: security

inspircd published 2.0.23 that fixes an issue with SASL
authentication. The details are here:

http://www.inspircd.org/2016/09/03/v2023-released.html

All versions are affected.

Upstream hasn't requested a CVE yet. I will contact oss-security to
make sure that happens.

It seems to also affect Charybdis, which fixed the issue in the
upcoming 3.5.3 release:

https://github.com/charybdis-ircd/charybdis/commit/818a3fda944b26d4814132cee14cfda4ea4aa824

I will take care of the 3.5.3 upload or backporting those patches to
3.5.2 and 3.4 (if relevant) as soon as I can.

-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (1, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)



More information about the Secure-testing-team mailing list