Advisories have been issued today (July 18): http://openwall.com/lists/oss-security/2018/07/18/4 http://openwall.com/lists/oss-security/2018/07/18/5 The issues are fixed upstream in 1.7.1. Mageia 6 is also affected by the first issue, and Mageia 5 and Mageia 6 are affected by the second.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA6TOO
znc-1.7.1-1.mga7 uploaded for Cauldron by Shlomi.
Status comment: (none) => Fixed upstream in 1.7.1Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Updated package uploaded for Mageia 6 by Shlomi. Advisory to come later. Updated packages in core/updates_testing: ======================== znc-1.7.1-1.mga6 znc-devel-1.7.1-1.mga6 znc-modperl-1.7.1-1.mga6 znc-modpython-1.7.1-1.mga6 from znc-1.7.1-1.mga6.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
Debian has issued an advisory for this on July 18: https://www.debian.org/security/2018/dsa-4252 Advisory: ======================== Updated znc packages fix security vulnerabilities: Jeriko One discovered two vulnerabilities in the ZNC IRC bouncer which could result in privilege escalation or denial of service (CVE-2018-14055, CVE-2018-14056). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14055 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14056 https://www.debian.org/security/2018/dsa-4252
MGA6-32 MATE IBM Thinkpad R50e No installation issues $ znc --makeconf [ .. ] Checking for list of available modules... [ ** ] [ ** ] -- Global settings -- [ ** ] [ ?? ] Listen on port (1025 to 65534): [ ?? ] Listen on port (1025 to 65534): 6665-6667 [ ?? ] Listen using SSL (yes/no) [no]: [ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: no [ .. ] Verifying the listener... [ ** ] Unable to locate pem file: [/home/tester6/.znc/znc.pem], creating it [ .. ] Writing Pem file [/home/tester6/.znc/znc.pem]... [ ** ] Enabled global modules [webadmin] [ ** ] [ ** ] -- Admin user settings -- [ ** ] [ ?? ] Username (alphanumeric): hviaene [ ?? ] Enter password: [ ?? ] Confirm password: [ ?? ] Nick [hviaene]: [ ?? ] Alternate nick [hviaene_]: [ ?? ] Ident [hviaene]: [ ?? ] Real name (optional): [ ?? ] Bind host (optional): [ ** ] Enabled user modules [chansaver, controlpanel] [ ** ] [ ?? ] Set up a network? (yes/no) [yes]: [ ** ] [ ** ] -- Network settings -- [ ** ] [ ?? ] Name [freenode]: freenode.irc.org [ ?? ] Name [freenode]: card.freenode.net [ ?? ] Name [freenode]: [ ?? ] Server host [chat.freenode.net]: [ ?? ] Server uses SSL? (yes/no) [yes]: no [ ?? ] Server port (1 to 65535) [6667]: [ ?? ] Server password (probably empty): [ ?? ] Initial channels: #mageia-qa [ ** ] Enabled network modules [simple_away] [ ** ] [ .. ] Writing config [/home/tester6/.znc/configs/znc.conf]... [ ** ] [ ** ] To connect to this ZNC you need to connect to it as your IRC server [ ** ] using the port that you supplied. You have to supply your login info [ ** ] as the IRC server password like this: user/network:pass. [ ** ] [ ** ] Try something like this in your IRC client... [ ** ] /server <znc_server_ip> 6665 hviaene:<pass> [ ** ] [ ** ] To manage settings, users and networks, point your web browser to [ ** ] http://<znc_server_ip>:6665/ [ ** ] [ ?? ] Launch ZNC now? (yes/no) [yes]: [ .. ] Opening config [/home/tester6/.znc/configs/znc.conf]... [ .. ] Loading global module [webadmin]... [ .. ] Binding to port [6665] using ipv4... [ ** ] Loading user [hviaene] [ ** ] Loading network [freenode] [ .. ] Loading network module [simple_away]... [ >> ] [/usr/lib/znc/simple_away.so] [ .. ] Adding server [chat.freenode.net 6667 ]... [ .. ] Loading user module [chansaver]... [ .. ] Loading user module [controlpanel]... [ .. ] Forking into the background... [ >> ] [pid: 24793] [ ** ] ZNC 1.7.1 - https://znc.in Not very sure this is all OK Launched then hexchat and tried to connect. Got as fa* Looking up localhost * Connecting to localhost (127.0.0.1:6665) * Connected. Now logging in. * Capabilities supported: batch cap-notify echo-message multi-prefix server-time userhost-in-names znc.in/batch znc.in/self-message znc.in/server-time-iso * Capabilities requested: cap-notify multi-prefix server-time userhost-in-names znc.in/server-time-iso * Capabilities acknowledged: cap-notify multi-prefix server-time userhost-in-names znc.in/server-time-iso * Password required * *** You need to send your password. Configure your client to send a server password. * *** To connect now, you can use /quote PASS <username>:<password>, or /quote PASS <username>/<network>:<password> to connect to a specific network. Not in a kanaal. Try /join #<channel>r as: I try join #mageia-qa, but this gets me nowhere
CC: (none) => herman.viaene
IIRC ZNC has a web based management console which might be easier to use to join channels etc.
https://wiki.znc.in/FAQ#How_can_I_access_webadmin_with_my_browser.3F
Did not mention it, but tried to connect localhost:6665, but Firefox does not like it. I get (translated): This address has restricted access. This address uses a networkport which is normally used for other purposes but webbrowsing. Firefox cancelled the request to protect you. Not sure how to manipulate firefox for this.
It perhaps doesn't host the web interface on all available ports. 6667 would be the standard IRC port though, try again with that one instead or choose a single port when setting up znc.
I get the warning during setting up znc :WARNING: Some web browsers reject port 6667. If you intend to use ZNC's web interface, you might want to use another port. And indeed same error in Firefox as before. Tried again and took as port for znc 8080, defined a user and password, and accepted for the rest all defaults , except for using IPV6. Now pointing Firefox at localhost:8080 brings me to login page, logging in with the user and password from the setup brings me to "ZNC Frontend" and settings and info menu. But I find no way to get beyond those pages.
Before ------ # urpmi znc $MIRRORLIST: media/core/release/znc-1.6.3-4.mga6.x86_64.rpm installing znc-1.6.3-4.mga6.x86_64.rpm from /var/cache/urpmi/rpms Preparing... #################### 1/1: znc #################### Didn't configure it. After ----- # urpmi znc $MIRRORLIST: media/core/updates_testing/znc-1.7.1-1.mga6.x86_64.rpm installing znc-1.7.1-1.mga6.x86_64.rpm from /var/cache/urpmi/rpms Preparing... #################### 1/1: znc #################### Failed to try-restart znc.service: Unit znc.service is not loaded properly: Invalid argument. See system logs and 'systemctl status znc.service' for details. warning: %post(znc-1.7.1-1.mga6.x86_64) scriptlet failed, exit status 1 ERROR: 'script' failed for znc-1.7.1-1.mga6.x86_64 1/1: removing znc-1.6.3-4.mga6.x86_64 ##################### Script failed with the update. Adding feedback marker.
Whiteboard: (none) => feedback
CC: (none) => pkg-bugs, qa-bugsAssignee: qa-bugs => shlomif
Ubuntu has issued an advisory on April 18: https://usn.ubuntu.com/3950-1/ One new issue is fixed upstream in 1.7.3.
Whiteboard: feedback => (none)Status comment: Fixed upstream in 1.7.1 => Fixed upstream in 1.7.3Summary: znc new security issues CVE-2018-1405[56] => znc new security issues CVE-2018-1405[56] and CVE-2019-9917
Debian and Ubuntu have issued advisories on June 14 and July 1: https://www.debian.org/security/2019/dsa-4463 https://usn.ubuntu.com/4044-1/ They fix a new issue that was fixed upstream in 1.7.4.
Summary: znc new security issues CVE-2018-1405[56] and CVE-2019-9917 => znc new security issues CVE-2018-1405[56], CVE-2019-9917, and CVE-2019-12816Version: 6 => 7Whiteboard: (none) => MGA6TOOSource RPM: znc-1.7.0-1.mga7.src.rpm => znc-1.7.3-1.mga7.srcStatus comment: Fixed upstream in 1.7.3 => Fixed upstream in 1.7.4
Advisory: ======================== Updated znc packages fix security vulnerabilities: Jeriko One discovered two vulnerabilities in the ZNC IRC bouncer which could result in privilege escalation or denial of service (CVE-2018-14055, CVE-2018-14056). Two vulnerabilities were discovered in the ZNC IRC bouncer which could result in remote code execution (CVE-2019-12816) or denial of service via invalid encoding (CVE-2019-9917). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14055 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14056 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9917 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12816 https://www.debian.org/security/2018/dsa-4252 https://www.debian.org/security/2019/dsa-4463 ======================== Updated packages in core/updates_testing: ======================== znc-1.7.4-1.mga6 znc-devel-1.7.4-1.mga6 znc-modperl-1.7.4-1.mga6 znc-modpython-1.7.4-1.mga6 znc-1.7.4-1.mga7 znc-devel-1.7.4-1.mga7 znc-modperl-1.7.4-1.mga7 znc-modpython-1.7.4-1.mga7 from SRPMS: znc-1.7.4-1.mga6.src.rpm znc-1.7.4-1.mga7.src.rpm
CC: qa-bugs => (none)Assignee: shlomif => qa-bugs
mga7, x86_64 Updated cleanly. Ran the configuration command as above (comment 4) and all seemed to go well. irssi is my normal IRC client but it is configured to autojoin so I tried hexchat. That got as far as #mageia-meeting but I could not join because there seemed to be some confusion between my local id, which is 'lcl' and the IRC nickname, which is 'tarazed'. It kept on prompting me as lcl. I tried to log in as tarazed using /msg NickServ identify tarazed ....... and was rejected. Tried the web interface at port 6665 and was rejected, like Herman. Checked znc server status: $ systemctl status znc ● znc.service - ZNC, an advanced IRC bouncer Loaded: loaded (/usr/lib/systemd/system/znc.service; enabled; vendor preset:> Active: failed (Result: exit-code) since Fri 2019-08-16 08:14:01 BST; 16s ago Main PID: 2419 (code=exited, status=1/FAILURE)
Whiteboard: MGA6TOO => (none)CC: (none) => tarazed25
Whiteboard: (none) => MGA6TOO
mga6, x86_64 Tried this before the update and ran the configuration. Discovered by experimenting that znc needs to be started by the user. $ znc & That then allows the web interface to be used on the specified port, in this case 6671. Exited there. Updating later.
OK. Ran the update and launched the web interface on localhost:6671/ Checked the various screens. So now what? my irssi config file works just as it always did - no sign of znc anywhere. Same for hexchat. Don't know what "bounce" means or what znc is actually for. It is running in the background and the web interface is live so we can assume that the basics work. Is this good enough for an OK?
Further to comment 16: Again tried creating a new conf file as in comment 4, ran up irssi, which is set for autoconnect and tried to override it without being at all clear what values to use in order to connect through the znc server. The messages indicated that freenode was connected to localhost (the znc server?) but then the connection was reset almost immediately by peer (means nothing to me). I still do not understand what part znc is supposed to play in all this when you are directed to use your normal IRC client. What exactly is the advantage in connecting through an external service rather than your usual config method? Or to put it another way, what the hell is an IRC bouncer?
Another point - the web interface is only available with the original, default, config file. As soon as that is replaced by the reconstructed user config file the web interface is inaccessible. Also, once the znc server is running, does anybody know how you access it? There does not seem to be an interface, cli or otherwise.
Looking back at earlier comments - the znc server should be started with systemd; forgot that. $ sudo systemctl enable znc.service $ sudo systemctl start znc.service Failed to start znc.service: Unit znc.service is not loaded properly: Invalid argument. See system logs and 'systemctl status znc.service' for details. $ systemctl status znc.service Failed to dump process list, ignoring: Unit znc.service is not loaded properly: ● znc.service - ZNC - an advanced IRC bouncer Loaded: error (Reason: Invalid argument) Active: inactive (dead)
It looks like we are not going to get anywhere with testing this so it should be released on the basis of a clean update and the fact of a working web interface with the default configuration. There is an advisory in comment 13 but shall leave validation in case somebody steps in with a successful operational test.
Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
MGA7-64 Plasma on Lenovo B50 No installation issues. Continuing later on.
Configured as per Comment 4above. Tried hexchat, but got nowhere trying to connect to mageia-meeting, message "Not registered. Tried web interface: - with firefox:port not allowed fro browsing - with konqueror : localhost:6665 gives invalid url. This mentions to format the address line as http://<user>@<password>:localhost:6665, but this results in "Undocumented error - with lynx as $ lynx localhost:6665 and then I get into the web interface, I can navigate in the pages, but sincerely I don't know what to do there unless I would spend time to study the subject. If Len e.a. agree, this is OK for me.
@Herman, with respect to comment 22. You have had a little more experience with this but seem to have encountered similar troubles to mine. And time is getting short so IMHO you should just OK this on the basis of a clean update. Thanks.
Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK
Validating. Advisory in Comment 13.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0262.html
Status: NEW => RESOLVEDResolution: (none) => FIXED