CVEs have been requested for security issues fixed in irssi 0.8.21: http://openwall.com/lists/oss-security/2017/01/05/2 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
CVE-2017-519[3-6] assigned: http://openwall.com/lists/oss-security/2017/01/06/1
Summary: irssi new security issues fixed upstream in 0.8.21 => irssi new security issues fixed upstream in 0.8.21 (CVE-2017-519[3-6])
Pushed irssi 0.8.21 to core/updates_testing for mga5 and will request a freeze push for cauldron.
CC: (none) => jani.valimaaAssignee: cooker => qa-bugs
Advisory: ======================== Updated irssi packages fix security vulnerability: In irssi before 0.8.21, a NULL pointer dereference in the nickcmp function (CVE-2017-5193). In irssi before 0.8.21, use after free when receiving invalid nick message (CVE-2017-5194). In irssi before 0.8.21, out of bounds read in certain incomplete control codes (CVE-2017-5195). In irssi before 0.8.21, out of bounds read in certain incomplete character sequences (CVE-2017-5196). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196 https://irssi.org/security/irssi_sa_2017_01.txt https://irssi.org/2017/01/05/irssi-0.8.21-released/ ======================== Updated packages in core/updates_testing: ======================== irssi-0.8.21-1.mga5 irssi-devel-0.8.21-1.mga5 irssi-perl-0.8.21-1.mga5 from irssi-0.8.21-1.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
openSUSE has issued an advisory for this on January 9: https://lists.opensuse.org/opensuse-updates/2017-01/msg00058.html
URL: (none) => https://lwn.net/Vulnerabilities/711189/
MGA5-32 on Acer D620 Xfce No installation issues Found https://quadpoint.org/articles/irssi that got me to connect to irc.freenode.org and join #mageia-qa
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
$ uname -a Linux localhost 4.4.39-server-1.mga5 #1 SMP Fri Dec 16 19:07:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux The following 2 packages are going to be installed: - irssi-0.8.21-1.mga5.x86_64 - irssi-perl-0.8.21-1.mga5.x86_64 2.4MB of additional disk space will be used. followed Herman's link above 8:14 -!- Irssi: #mageia: Total of 76 nicks [1 ops, 0 halfops, 0 voices, 75 normal] 08:14 -!- Channel #mageia created Fri Sep 17 11:32:10 2010 08:14 -!- Irssi: Join to #mageia was synced in 6 secs 08:15 < brian__> hi all - can you read my IM? from irssi 08:15 < marja> brian__: I can read you 08:15 < brian__> thank you marja 08:16 < marja> brian__: so you got irssi to work, and you're in #mageia 08:16 < brian__> yup 08:16 < brian__> hurray! 08:16 < marja> brian__: congrats [08:17] [brian__(+i)] [2:freenode/#mageia(+cn)] [Act: 1] [#mageia]
CC: (none) => brtians1Whiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-ok
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CVE-2017-5356 assigned for another issue fixed here: http://openwall.com/lists/oss-security/2017/01/13/2 Advisory: ======================== Updated irssi packages fix security vulnerability: In irssi before 0.8.21, a NULL pointer dereference in the nickcmp function (CVE-2017-5193). In irssi before 0.8.21, use after free when receiving invalid nick message (CVE-2017-5194). In irssi before 0.8.21, out of bounds read in certain incomplete control codes (CVE-2017-5195). In irssi before 0.8.21, out of bounds read in certain incomplete character sequences (CVE-2017-5196). In irssi before 0.8.21, out of bounds read when printing certain values (CVE-2017-5356). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5356 https://irssi.org/security/irssi_sa_2017_01.txt https://irssi.org/2017/01/05/irssi-0.8.21-released/ http://openwall.com/lists/oss-security/2017/01/13/2
Summary: irssi new security issues fixed upstream in 0.8.21 (CVE-2017-519[3-6]) => irssi new security issues fixed upstream in 0.8.21 (CVE-2017-519[3-6], CVE-2017-5356)
Advisory uploaded from Comments 3 (SRPM) and 7 (the rest).
CC: (none) => lewyssmithWhiteboard: MGA5-32-OK mga5-64-ok => MGA5-32-OK mga5-64-ok advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0018.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to David Walser from comment #7) > CVE-2017-5356 assigned for another issue fixed here: > http://openwall.com/lists/oss-security/2017/01/13/2 LWN reference: https://lwn.net/Vulnerabilities/711781/