Gentoo has issued an advisory today (December 19): http://www.gentoo.org/security/en/glsa/glsa-201412-31.xml For some reason, I had this patched in Cauldron in April but didn't push it to Mageia 4. Patched package uploaded for Mageia 4. Advisory: ======================== Updated znc packages fix security vulnerability: Adding an already existing channel to a user/network via web admin in ZNC causes a crash if the channel name isn't prefixed with '#' (CVE-2014-9403). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9403 http://www.gentoo.org/security/en/glsa/glsa-201412-31.xml ======================== Updated packages in core/updates_testing: ======================== znc-1.0-4.1.mga4 znc-devel-1.0-4.1.mga4 from znc-1.0-4.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11034#c1
Whiteboard: (none) => has_procedure
Tried to test this on mga4 x86_64 but had problems understanding the procedure. Installed znc-1.0-4.1.mga4 znc-devel-1.0-4.1.mga4 from Core Updates Testing Ran znc --makeconf and defined server, port, user, password as in the procedure outlined in bug 11034#c1..... What port would you like ZNC to listen on? (1025 to 65535): 3456 Would you like ZNC to listen using SSL? (yes/no) [no]: Would you like ZNC to listen using ipv6? (yes/no) [yes]: Listen Host (Blank for all ips): localhost Load global module <partyline>? (yes/no) [no]: Load global module <webadmin>? (yes/no) [no]: Username (AlphaNumeric): znctest Enter Password: znctest Confirm Password: znctest Would you like this user to be an admin? (yes/no) [yes]: Nick [znctest]: Left this running. Used mcc to configure the firewall to allow web server to connect to internet (??) Ran up irssi (only IRC client I know) irssi --port=3456 --connect=localhost --password=znctest/freenode:znctest and received error message: Unable to connect to localhost https://localhost:3456/ in Firefox failed likewise on server at localhost:3456
CC: (none) => tarazed25
Tried irssi --port=3456 --hostname=localhost --password=znctest/freenode:znctest and this time irssi came up with a blank page and a status line (blank) so I assume the IRC end is OK. Still no connection in Firefox for https://localhost:3456
Next attempt: Set up znc with webadmin global module loaded. No further forward.
Hi Len, Try with this option in znc --makeconfig : Listen Host (Blank for all ips): (leave blank) (...) Load global module <webadmin>? (yes/no) [no]: yes and browse to http://localhost:3456 (not https) if you don't configure it to use SSL.
CC: (none) => olchal
Thanks for the suggestions olivier/charles. Still no connection. Checked .znc/configs and found no config file there, which means that the znc session (still open) has not written the config file. I think we are supposed to close the makeconfig session cleanly and run znc &. Just guessing though. I am flying blind as far as znc goes. How to close it? No idea.
Tried /exit and hit a whole list of queries, many of which I did not understand. Eventually realized that this was a closedown dialogue - some of my responses were nonsense but all the same znc was able to proceed and asked about launching ZNC now. Config file written and znc forked to the background. After that the web interface was available.
Well done Len, got there in the end. Don't forget to add the 'OK' if you're happy with it.
The web interface seems to be functional. Marking this as OK. Will check later in 32bit vbox.
Whiteboard: has_procedure => advisory has_procedure MGA4-64-OK
Whiteboard: advisory has_procedure MGA4-64-OK => has_procedure MGA4-64-OK
Testing on Mageia 4x32 real hardware Following procedure mentioned in comment 1 and remarks from Len From current package : ------------------- znc-1.0-4.mga4 $ znc --makeconf Set up znc on localhost port 3456 using ssl with webadmin module (...) [ ?? ] Launch ZNC now? (yes/no) [yes]: yes [ ok ] Opening config [/home/zitounu/.znc/configs/znc.conf]... [ ok ] Loading global module [webadmin]... [/usr/lib/znc/webadmin.so] [ ok ] Binding to port [+3456]... [ ** ] Loading user [zncuser] [ ok ] Forking into the background... [pid: 4034] [ ** ] ZNC 1.0 - http://znc.in Could connect to https://localhost:3456/ Used Webadmin to create a new user Launched irrsi /connect -ssl localhost 3456 zncuser:zncuser 16:30 -!- Irssi: Looking up localhost 16:30 -!- Irssi: Connecting to localhost [127.0.0.1] port 3456 16:30 -!- Irssi: Connection to localhost established 16:30 -*status(znc@znc.in)- You have no networks configured. Use /znc AddNetwork <network> to add one. 16:30 -!- - Welcome to ZNC $ killall znc All OK To updated testing package : -------------------------- znc-1.0-4.1.mga4 $ znc (to launch znc from previous config) Browsed to https://localhost:3456/ in Webadmin created a new user Launched irssi and connected with new user /connect -ssl localhost 3456 user2:user2 Reconfigured znc without SSL with a new user Could connect to it in browser and irssi. Updated testing package working fine.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
CC: (none) => sysadmin-bugsWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0543.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED