| Summary: | znc new security issue CVE-2024-39844 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | znc-1.8.2-21.mga9.src.rpm | CVE: | CVE-2024-39844 |
| Status comment: | |||
|
Description
Nicolas Salguero
2024-07-04 15:19:21 CEST
Nicolas Salguero
2024-07-04 15:20:05 CEST
Source RPM:
(none) =>
znc-1.9.0-1.mga10.src.rpm, znc-1.8.2-21.mga9.src.rpm Suggested advisory: ======================== The updated packages fix a security vulnerability: In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK. (CVE-2024-39844) References: https://www.openwall.com/lists/oss-security/2024/07/03/9 ======================== Updated packages in core/updates_testing: ======================== znc-1.8.2-21.1.mga9 znc-devel-1.8.2-21.1.mga9 znc-modperl-1.8.2-21.1.mga9 znc-modpython-1.8.2-21.1.mga9 from SRPM: znc-1.8.2-21.1.mga9.src.rpm Status comment:
Fixed upstream in 1.9.1 and patch available from upsteam =>
(none)
katnatek
2024-07-04 18:20:02 CEST
Keywords:
(none) =>
advisory LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
installing znc-1.8.2-21.1.mga9.x86_64.rpm znc-modpython-1.8.2-21.1.mga9.x86_64.rpm znc-modperl-1.8.2-21.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing... ##################################################################################################
1/3: znc ##################################################################################################
2/3: znc-modpython ##################################################################################################
3/3: znc-modperl ##################################################################################################
1/3: removing znc-modperl-1.8.2-21.mga9.x86_64
##################################################################################################
2/3: removing znc-modpython-1.8.2-21.mga9.x86_64
##################################################################################################
3/3: removing znc-1.8.2-21.mga9.x86_64
##################################################################################################
Reference bug#26886 comment#4, but some things are changed the application not recommends use as root
As user
znc --makeconf
[ .. ] Checking for list of available modules...
[ ** ]
[ ** ] -- Global settings --
[ ** ]
[ ?? ] Listen on port (1025 to 65534): 1025
[ ?? ] Listen using SSL (yes/no) [no]: yes
[ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: no
[ .. ] Verifying the listener...
[ ** ] Unable to locate pem file: [/home/katnatek/.znc/znc.pem], creating it
[ .. ] Writing Pem file [/home/katnatek/.znc/znc.pem]...
[ ** ] Enabled global modules [webadmin]
[ ** ]
[ ** ] -- Admin user settings --
[ ** ]
[ ?? ] Username (alphanumeric): katnatek
[ ?? ] Enter password:
[ ?? ] Confirm password:
[ ?? ] Nick [katnatek]:
[ ?? ] Alternate nick [katnatek_]:
[ ?? ] Ident [katnatek]:
[ ?? ] Real name (optional):
[ ?? ] Bind host (optional):
[ ** ] Enabled user modules [chansaver, controlpanel]
[ ** ]
[ ?? ] Set up a network? (yes/no) [yes]: no
[ ** ]
[ .. ] Writing config [/home/katnatek/.znc/configs/znc.conf]...
[ ** ]
[ ** ] To connect to this ZNC you need to connect to it as your IRC server
[ ** ] using the port that you supplied. You have to supply your login info
[ ** ] as the IRC server password like this: user/network:pass.
[ ** ]
[ ** ] Try something like this in your IRC client...
[ ** ] /server <znc_server_ip> +1025 katnatek:<pass>
[ ** ]
[ ** ] To manage settings, users and networks, point your web browser to
[ ** ] https://<znc_server_ip>:1025/
[ ** ]
[ ?? ] Launch ZNC now? (yes/no) [yes]: yes
[ .. ] Opening config [/home/katnatek/.znc/configs/znc.conf]...
[ .. ] Loading global module [webadmin]...
[ .. ] Binding to port [+1025] using ipv4...
[ ** ] Loading user [katnatek]
[ .. ] Loading user module [chansaver]...
[ .. ] Loading user module [controlpanel]...
[ .. ] Forking into the background...
[ >> ] [pid: 143248]
[ ** ] ZNC 1.8.2 - https://znc.in
Open https://localhost:1025/ it presents a login page
Can login with my user and password
Looks goodWhiteboard:
(none) =>
MGA9-64-OK Validating. CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0257.html Resolution:
(none) =>
FIXED |