| Summary: | irssi new security issues CVE-2017-10965 and CVE-2017-10966 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, jani.valimaa, lewyssmith, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO mga5-32-ok advisory MGA6-64-OK MGA6-32-OK MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | irssi-1.0.3-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-07-07 17:44:44 CEST
David Walser
2017-07-07 17:44:55 CEST
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO openSUSE has issued an advisory for this today (July 8): https://lists.opensuse.org/opensuse-updates/2017-07/msg00044.html Should be fixed for mga5 with irssi-0.8.21-1.2.mga5 in core/updates_testing. I will fix mga6 after SVN branching is done. Assignee:
jani.valimaa =>
qa-bugs Full package list so far: irssi-0.8.21-1.2.mga5 irssi-devel-0.8.21-1.2.mga5 irssi-perl-0.8.21-1.2.mga5 It doesn't sound like these issues are the most serious, so I think we can wait for the Mageia 6 update before pushing this. CC:
(none) =>
qa-bugs Updated packages uploaded for Mageia 6 and Cauldron by Jani. Assigning to QA. Mageia 6 package list: irssi-1.0.4-1.mga6 irssi-devel-1.0.4-1.mga6 irssi-perl-1.0.4-1.mga6 Assignee:
jani.valimaa =>
qa-bugs Advisory: ======================== Updated irssi packages fix security vulnerabilities: A malicious server could cause irssi to crash by providing an invalid timestamp (CVE-2017-10965). Undefined behavior may be triggered when irssi updates the internal nick list (CVE-2017-10966). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966 https://lists.opensuse.org/opensuse-updates/2017-07/msg00044.html ======================== Updated packages in core/updates_testing: ======================== irssi-0.8.21-1.2.mga5 irssi-devel-0.8.21-1.2.mga5 irssi-perl-0.8.21-1.2.mga5 irssi-1.0.4-1.mga6 irssi-devel-1.0.4-1.mga6 irssi-perl-1.0.4-1.mga6 from SRPMS: irssi-0.8.21-1.2.mga5.src.rpm irssi-1.0.4-1.mga6.src.rpm $ uname -a Linux localhost.localdomain 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 08:33:18 UTC 2017 i686 i686 i686 GNU/Linux Installed irssi 8.21-1.2 Irssi v0.8.21 - http://www.irssi.org 23:54 -!- ___ _ 23:54 -!- |_ _|_ _ _____(_) 23:54 -!- | || '_(_-<_-< | 23:54 -!- |___|_| /__/__/_| 23:54 -!- Irssi v0.8.21 - http://www.irssi.org connected to freenode and mageia seems to be working as designed. CC:
(none) =>
brtians1
Lewis Smith
2017-07-22 10:07:01 CEST
Whiteboard:
MGA5TOO mga5-32-ok =>
MGA5TOO mga5-32-ok advisory mga6 x86_64 Installed the updates and used ~/.irssi/config $ irssi 09:20 -!- Mode change [+Zi] for user tarazed 09:20 -!- tarazed [~lcl@cpc105078-sgyl40-2-0-cust252.18-2.cable.virginm.net] has joined #mageia-qa 09:20 -!- Topic for #mageia-qa: Mageia QA channel https://wiki.mageia.org/en/QA_Team | Welcome, join the team! | Meetings here Thursdays @ 19UTC | Updates waiting: http://mageia.madb.org/tools/updates | Here's how: http://bit.ly/Ne2lPP | Tips: http://bit.ly/17RzpIB | Mga6 Tracker http://bit.ly/1VDrJAw 09:20 -!- Topic set by Inigo_Montoya` [~supybot@xvm-164-207.ghst.net] [Thu Jul 20 20:38:59 2017] 09:20 [Users #mageia-qa] 09:20 [ [mbot` ] [ Inigo_Montoya`] [ neoclust ] [ stef74 ] 09:20 [ Akien ] [ jkerr82508 ] [ NyB ] [ stormi ] 09:20 [ Aussie_matt ] [ King_InuYasha ] [ papoteur_ ] [ tarazed ] 09:20 [ barjac ] [ leuhmanu ] [ Pharaoh_Atem] [ treegazer] 09:20 [ davesnothereman] [ Luigi12 ] [ philippem ] [ wally_ ] 09:20 [ david_david ] [ marja ] [ rindolf ] [ wikigazer] 09:20 [ Eagle_Erwin ] [ marja9 ] [ sander85 ] 09:20 [ ennael ] [ MrsB ] [ Sophie ] 09:20 -!- Irssi: #mageia-qa: Total of 30 nicks [0 ops, 0 halfops, 0 voices, 30 normal] 09:20 -!- Channel #mageia-qa created Thu Jan 6 12:25:17 2011 09:20 -NickServ(NickServ@services.)- tarazed is not a registered nickname. 09:20 -!- Irssi: Join to #mageia-qa was synced in 7 secs Typed: /join #mageia-qa to actually talk in the Mageia chatroom. /part /exit No apparent problems. CC:
(none) =>
tarazed25
Len Lawrence
2017-07-23 10:31:44 CEST
Whiteboard:
MGA5TOO mga5-32-ok advisory =>
MGA5TOO mga5-32-ok advisory MGA6-64-OK mga6 on i586 virtualbox Installed irssi and used the default config file in ~/.irssi $ irssi Irssi v1.0.3 - http://www.irssi.org 11:33 -!- ___ _ 11:33 -!- |_ _|_ _ _____(_) 11:33 -!- | || '_(_-<_-< | 11:33 -!- |___|_| /__/__/_| 11:33 -!- Irssi v1.0.3 - http://www.irssi.org 11:33 -!- Irssi: Client: irssi 1.0.3 (20170605 1625) 11:33 -!- Irssi: Not connected to server /version -> 11:36 -!- Irssi: Client: irssi 1.0.3 (20170605 1625) Joined freenode and mageia qa channel: /join #mageia-qa -> 11:39 -!- lcl [~lcl@cpc105078-sgyl40-2-0-cust252.18-2.cable.virginm.net] has joined #mageia-qa 11:39 -!- Topic for #mageia-qa: Mageia QA channel /part Installed the updates and imported config file from the host machine. $ irssi 11:47 -!- Irssi: #mageia-qa: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 normal] 11:47 -!- Channel #mageia-qa created Thu Jan 6 12:25:17 2011 11:47 -NickServ(NickServ@services.)- tarazed is not a registered nickname. 11:47 -!- Irssi: Join to #mageia-qa was synced in 6 secs /version 11:48 -!- Irssi: Client: irssi 1.0.4 (20170705 1712) 11:48 -!- ircd-seven-1.1.4(20170104-717fbca8dbac,charybdis-3.4-dev). tolkien.freenode.net eHIKMpSZ6 TS6ow 07I 11:48 -!- CHANTYPES=# EXCEPTS INVEX CHANMODES=eIbq,k,flj,CFLMPQScgimnprstz .................... /nick tarazed /join #mageia-qa 11:51 -!- Irssi: You are now talking in #mageia-qa /part 11:52 -!- tarazed ............ has left #mageia-qa [] /quit Good enough.
Len Lawrence
2017-07-23 12:54:56 CEST
Whiteboard:
MGA5TOO mga5-32-ok advisory MGA6-64-OK =>
MGA5TOO mga5-32-ok advisory MGA6-64-OK MGA6-32-OK mga5 i586 virtualbox
Installed irssi, checked that it worked and installed the updates.
$ irssi
........................
13:07 -!- Irssi: #mageia-qa: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31
normal]
13:07 -!- Channel #mageia-qa created Thu Jan 6 12:25:17 2011
13:07 -NickServ(NickServ@services.)- tarazed is not a registered nickname.
13:07 -!- Irssi: Join to #mageia-qa was synced in 6 secs
/version
13:08 -!- Irssi: Client: irssi 0.8.21 (20170103 1424)
13:08 -!- ircd-seven-1.1.4(20170104-717fbca8dbac,charybdis-3.4-dev).
tolkien.freenode.net eHIKMpSZ6 TS6ow 07I
Checked /help and /help <some command>
/join #mageia-qa
13:11 -!- Irssi: You are now talking in #mageia-qa
13:12 < tarazed> Sorry folks - it's me again.
/part
/quit
Good for mga5 as well.
Len Lawrence
2017-07-23 14:14:41 CEST
Whiteboard:
MGA5TOO mga5-32-ok advisory MGA6-64-OK MGA6-32-OK =>
MGA5TOO mga5-32-ok advisory MGA6-64-OK MGA6-32-OK MGA5-32-OK Testing M5-64 "Irssi - a modular IRC client for UNIX". Updated to: irssi-0.8.21-1.2.mga5 irssi-perl-0.8.21-1.2.mga5 $ irssi Irssi v0.8.21 - http://www.irssi.org 09:39 -!- ___ _ 09:39 -!- |_ _|_ _ _____(_) 09:39 -!- | || '_(_-<_-< | 09:39 -!- |___|_| /__/__/_| 09:39 -!- Irssi v0.8.21 - http://www.irssi.org /help to see available commands. /server freenode /nick <nickname> /join #mageia-qa showed the usual header, list of logged-in users. Could talk to it. /part, /quit $ I could not set a nickname before connecting to a server, where it seems to use initially the local login name. There are parameters to give some details on the command line: $ irssi -c freenode -n <nickname> Validating this update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0216.html Resolution:
(none) =>
FIXED |