[SECURITY] [DLA-1427-1] znc security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : znc
Version : 1.4-2+deb8u1
CVE IDs : CVE-2018-14055 CVE-2018-14056
Debian Bugs : #903787 #903788
It was discovered that there were two issues in znc, a modular IRC
bouncer:
* There was insufficient validation of lines coming from the network
allowing a non-admin user to escalate his privilege and inject rogue
values into znc.conf. (CVE-2018-14055)
* A path traversal vulnerability (via "../" being embedded in a web skin
name) to access files outside of the allowed directory.
(CVE-2018-14056)
For Debian 8 "Jessie", these issues have been fixed in znc version
1.4-2+deb8u1.
We recommend that you upgrade your znc packages.
Regards,
- --
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAltLOdwACgkQHpU+J9Qx
Hlh4qA/+P0hPt4hZPItW3Am3QKDqY2a2g+TQYhJTpuoFjB+w8e8tUuRz6rvPApEw
IV4RERsGwLUXVe5hxRbtskg1Y72zvrpkhHxPlbES75IhZOzzjLuOftebfOvs4xiJ
nuy44TgzDwN1HSt5kMIm1iXTCCM5Blqhy9KaDORYypnFs1gUavPPUNPW3Nt6x2gp
JCc1ATUq+vuyCbGzFqdx51hOciQ7PvkHeT7oVw/UaWEWwI4cea4n7TmEGEQxNmzc
mFxMqrMsgvOANdo4hR/Rrqn3NW+P+1smnHQBx4iCOC28Vl7KC92RC8RmUXbKjqgW
gTbHuORhY4DV9GBj0Q2niP/Rwra01yyjeQEoaW4rRIwRBkNFZKf3Z+jgUmganrfM
PAoZJispP8mX+AjkQbH/fD3ARr0Lqi2V7cyRhFI6tJrIv2WRWWmek60RItvqbUS9
8gcchTyi8tnNGwwU7YjMoLuVIAPjHLCsh+XKu6pCj2/tr92pxjZtr/znRoM998Wy
2IOTg6zrMT3QVsGXnEZ468WmhGww8avPYxr39nu768tCIR16KYoCoLtoFkIL7NRO
gLCJ6CC2cpa0bTx/K+EGDohfyzBGzoKObWmF60Qmui4wOgw/Z/j0qqo0h1PVr9n/
Unk597xPxaLzF4uBttetHsHBI+d98WvJrRpR1Y6YcIxucR0UE1M=
=4pUk
-----END PGP SIGNATURE-----
Reply to: