Debian-LTS has issued an advisory on June 21: https://www.debian.org/lts/security/2020/dla-2252 The issue is fixed upstream in 26rc2. Mageia 7 is also affected.
CC: (none) => nicolas.salgueroWhiteboard: (none) => MGA7TOO
Suggested advisory: ======================== The updated package fixes a security vulnerability: The Server-Server protocol implementation in ngIRCd before 26~rc2 allows an out-of-bounds access, as demonstrated by the IRC_NJOIN() function. (CVE-2020-14148) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14148 https://www.debian.org/lts/security/2020/dla-2252 ======================== Updated package in core/updates_testing: ======================== ngircd-25-1.1.mga7 from SRPM: ngircd-25-1.1.mga7.src.rpm
Source RPM: ngircd-25-2.mga8.src.rpm => ngircd-25-1.mga7.src.rpmCVE: (none) => CVE-2020-14148Assignee: bugsquad => qa-bugsVersion: Cauldron => 7Status: NEW => ASSIGNEDWhiteboard: MGA7TOO => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 11082 for test, but info there is quite sparse. Attaching the files I edited. # systemctl start ngircd [root@mach5 ~]# systemctl -l status ngircd ● ngircd.service - Next Generation IRC Daemon Loaded: loaded (/usr/lib/systemd/system/ngircd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-07-03 14:19:00 CEST; 3s ago Main PID: 7703 (ngircd) Tasks: 1 (limit: 4915) Memory: 704.0K CGroup: /system.slice/ngircd.service └─7703 /usr/sbin/ngircd -n Jul 03 14:19:00 mach5.hviaene.thuis systemd[1]: Started Next Generation IRC Daemon. Jul 03 14:19:00 mach5.hviaene.thuis ngircd[7703]: [7703:3 0] Can't read MOTD file "/etc/ngircd.motd": No such file or dire> Jul 03 14:19:00 mach5.hviaene.thuis ngircd[7703]: [7703:4 0] No administrative information configured but required by RFC! Jul 03 14:19:00 mach5.hviaene.thuis ngircd[7703]: [7703:5 0] ngIRCd 25-IPv6+IRCPLUS+PAM+SSL+SYSLOG+TCPWRAP+ZLIB-x86_64/mag> Jul 03 14:19:00 mach5.hviaene.thuis ngircd[7703]: [7703:6 0] Using configuration file "/etc/ngircd.conf" ... Jul 03 14:19:00 mach5.hviaene.thuis ngircd[7703]: [7703:6 0] Running as user ngircd(976), group ngircd(968), with PID 7703. Jul 03 14:19:00 mach5.hviaene.thuis ngircd[7703]: [7703:6 0] Not running with changed root directory. provided a ngircd.motd file, that got rid of this message. Tried to connect with Hexchat, but got no further than "Access denied: bad password?" Not sure whether the channel key file has to be just the <channelname>.key (as attached, or #<channelname>.key. Provided both (just copy and rename the file), but to no avail.
CC: (none) => herman.viaene
When I try to attach the conf file (15kb) I get: Software error: Malformed multipart POST: data truncated
Started the server with no config changes. Connected to it on 127.0.0.1:6667, confirming via wireshark that it was responding. Validating the update.
CC: (none) => davidwhodgins, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0340.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED