[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA-1427-1] znc security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : znc
Version        : 1.4-2+deb8u1
CVE IDs        : CVE-2018-14055 CVE-2018-14056 
Debian Bugs    : #903787 #903788

It was discovered that there were two issues in znc, a modular IRC
bouncer:

  * There was insufficient validation of lines coming from the network
    allowing a non-admin user to escalate his privilege and inject rogue
    values into znc.conf. (CVE-2018-14055)

  * A path traversal vulnerability (via "../" being embedded in a web skin
    name) to access files outside of the allowed directory.
    (CVE-2018-14056)

For Debian 8 "Jessie", these issues have been fixed in znc version
1.4-2+deb8u1.

We recommend that you upgrade your znc packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAltLOdwACgkQHpU+J9Qx
Hlh4qA/+P0hPt4hZPItW3Am3QKDqY2a2g+TQYhJTpuoFjB+w8e8tUuRz6rvPApEw
IV4RERsGwLUXVe5hxRbtskg1Y72zvrpkhHxPlbES75IhZOzzjLuOftebfOvs4xiJ
nuy44TgzDwN1HSt5kMIm1iXTCCM5Blqhy9KaDORYypnFs1gUavPPUNPW3Nt6x2gp
JCc1ATUq+vuyCbGzFqdx51hOciQ7PvkHeT7oVw/UaWEWwI4cea4n7TmEGEQxNmzc
mFxMqrMsgvOANdo4hR/Rrqn3NW+P+1smnHQBx4iCOC28Vl7KC92RC8RmUXbKjqgW
gTbHuORhY4DV9GBj0Q2niP/Rwra01yyjeQEoaW4rRIwRBkNFZKf3Z+jgUmganrfM
PAoZJispP8mX+AjkQbH/fD3ARr0Lqi2V7cyRhFI6tJrIv2WRWWmek60RItvqbUS9
8gcchTyi8tnNGwwU7YjMoLuVIAPjHLCsh+XKu6pCj2/tr92pxjZtr/znRoM998Wy
2IOTg6zrMT3QVsGXnEZ468WmhGww8avPYxr39nu768tCIR16KYoCoLtoFkIL7NRO
gLCJ6CC2cpa0bTx/K+EGDohfyzBGzoKObWmF60Qmui4wOgw/Z/j0qqo0h1PVr9n/
Unk597xPxaLzF4uBttetHsHBI+d98WvJrRpR1Y6YcIxucR0UE1M=
=4pUk
-----END PGP SIGNATURE-----
Reply to: