Bug 26886 - znc 1.8.1 update (CVE-2020-13775 only affected 1.8.0)
Summary: znc 1.8.1 update (CVE-2020-13775 only affected 1.8.0)
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal enhancement
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA7-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2020-07-01 23:12 CEST by David Walser
Modified: 2020-08-11 02:36 CEST (History)
5 users (show)

See Also:
Source RPM: znc-1.7.4-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-07-01 23:12:38 CEST
Fedora has issued an advisory on today (July 1):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HS3DWGXLVRROQQA57UIPMDM6XMVEMBRA/

The issue is fixed upstream in 1.8.1.
Comment 1 Lewis Smith 2020-07-05 21:33:24 CEST
Assigning to the registered & active maintainer.

Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2020-07-06 09:44:36 CEST
(In reply to David Walser from comment #0)
> Fedora has issued an advisory on today (July 1):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/HS3DWGXLVRROQQA57UIPMDM6XMVEMBRA/
> 
> The issue is fixed upstream in 1.8.1.

1.8.1 submitted to 7 core/updates_testing: http://pkgsubmit.mageia.org/ .
Comment 3 David Walser 2020-07-06 15:07:34 CEST
Fedora advisory didn't have any info on the CVE.  I just saw that it only affected 1.8.0, so we weren't affected.  Changing this to a bugfix/enhancement update.

Advisory:
----------------------------------------

The znc package has been updated to version 1.8.1, containing several bug fixes
and enhancements.  See the upstream change logs for details.

References:
https://wiki.znc.in/ChangeLog/1.7.5
https://wiki.znc.in/ChangeLog/1.8.0
https://wiki.znc.in/ChangeLog/1.8.1
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
znc-1.8.1-1.mga7
znc-devel-1.8.1-1.mga7
znc-modperl-1.8.1-1.mga7
znc-modpython-1.8.1-1.mga7

from znc-1.8.1-1.mga7.src.rpm

Severity: normal => enhancement
Component: Security => RPM Packages
CC: (none) => shlomif
Assignee: shlomif => qa-bugs
QA Contact: security => (none)

David Walser 2020-07-06 15:08:01 CEST

Summary: znc new security issue CVE-2020-13775 => znc 1.8.1 update (CVE-2020-13775 only affected 1.8.0)

Comment 4 Len Lawrence 2020-07-26 11:23:11 CEST
mga7, x86_64
Second attempt, after several weeks.
Before updating:
$ znc --makeconf
That worked although I did not fully understand the documentation.  There is considerable confusion about what name to use for user and what id and password to give.  This trial the current user's name and password.
Tried to launch the znc server and that failed:
$ systemctl status znc
● znc.service - ZNC, an advanced IRC bouncer
   Loaded: loaded (/usr/lib/systemd/system/znc.service; enabled; vendor preset:>
   Active: failed (Result: exit-code) since Sun 2020-07-26 09:36:24 BST; 8s ago
  Process: 7660 ExecStart=/usr/bin/znc -f (code=exited, status=1/FAILURE)
 Main PID: 7660 (code=exited, status=1/FAILURE)

However, it was possible to raise the web based login page by pointing the browser at <IP address of local machine>:1027.  Filled in the user/password fields and that worked.  Configuration settings were visible.

Used webadmin to add a message of the day and edit the listening ports - added 3456 and was able to login to another webadmin page at localhost:3456/.  1 IRC connection is recorded, no clients.  That is probably OK but I have no clue about this bounce business or what is meant by "client".

Having got this far it would seem that znc is actually working but testing has to stop at this point.  Not very satisfactory...

Updated the packages.
$ znc &
[1] 17036
lcl@canopus:znc $ [ .. ] Checking for list of available modules...
[ .. ] Opening config [/home/lcl/.znc/configs/znc.conf]...
[ !! ] ZNC is already running on this config.
[ ** ] Unrecoverable config error.
$ killall znc
$ znc &
[1] 23104
lcl@canopus:znc $ [ .. ] Checking for list of available modules...
[ .. ] Opening config [/home/lcl/.znc/configs/znc.conf]...
[ ** ] Found old config from ZNC 1.7.4. Saving a backup of it.
[ .. ] Creating a config backup...
[ >> ] /home/lcl/.znc/configs/znc.conf.pre-1.8.1
[ .. ] Loading global module [webadmin]...
[ .. ] Binding to port [1027]...
[ .. ] Binding to port [3456]...
[ ** ] Loading user [lcl]
[ ** ] Loading network [freenode]
[ .. ] Loading network module [simple_away]...
[ >> ] [/usr/lib64/znc/simple_away.so]
[ .. ] Adding 1 servers...
[ .. ] Loading user module [chansaver]...
[ .. ] Loading user module [controlpanel]...
[ .. ] Forking into the background...
[ >> ] [pid: 23108]
[ ** ] ZNC 1.8.1 - https://znc.in

Logged in to ZNC at localhost:3456/ and checked traffic.
1 IRC connection, 0 clients.

Joined #mageia-qa using irssi in another terminal but NickServ told me I was not quick enough to identify with usual nickname and logged me in as a guest.  No idea what is going on there.  Traffic info still records 1 IRC connection.

Giving up at this stage.  znc looks functional but the IRC bouncing thing needs to be tested by somebody who understands the methodology, so no green light.

CC: (none) => tarazed25

Comment 5 Herman Viaene 2020-08-04 14:56:43 CEST
@ Len,
I read thru the previous update bug 23327. We have been fiddling with that on and off for more than a year, no one else jumped in and finally ok'ed on clean install.
Trying to get to the bottom of this seems like a waste of time.

CC: (none) => herman.viaene

Comment 6 Len Lawrence 2020-08-04 19:30:09 CEST
Right you are Herman - reckon you are right.  Let's send it on its way.

Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2020-08-11 02:36:03 CEST
Sounds like a plan to me, guys. Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update


Note You need to log in before you can comment on or make changes to this bug.