Fedora has issued an advisory on today (July 1): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HS3DWGXLVRROQQA57UIPMDM6XMVEMBRA/ The issue is fixed upstream in 1.8.1.
Assigning to the registered & active maintainer.
Assignee: bugsquad => shlomif
(In reply to David Walser from comment #0) > Fedora has issued an advisory on today (July 1): > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/HS3DWGXLVRROQQA57UIPMDM6XMVEMBRA/ > > The issue is fixed upstream in 1.8.1. 1.8.1 submitted to 7 core/updates_testing: http://pkgsubmit.mageia.org/ .
Fedora advisory didn't have any info on the CVE. I just saw that it only affected 1.8.0, so we weren't affected. Changing this to a bugfix/enhancement update. Advisory: ---------------------------------------- The znc package has been updated to version 1.8.1, containing several bug fixes and enhancements. See the upstream change logs for details. References: https://wiki.znc.in/ChangeLog/1.7.5 https://wiki.znc.in/ChangeLog/1.8.0 https://wiki.znc.in/ChangeLog/1.8.1 ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- znc-1.8.1-1.mga7 znc-devel-1.8.1-1.mga7 znc-modperl-1.8.1-1.mga7 znc-modpython-1.8.1-1.mga7 from znc-1.8.1-1.mga7.src.rpm
Severity: normal => enhancementQA Contact: security => (none)Assignee: shlomif => qa-bugsCC: (none) => shlomifComponent: Security => RPM Packages
Summary: znc new security issue CVE-2020-13775 => znc 1.8.1 update (CVE-2020-13775 only affected 1.8.0)
mga7, x86_64 Second attempt, after several weeks. Before updating: $ znc --makeconf That worked although I did not fully understand the documentation. There is considerable confusion about what name to use for user and what id and password to give. This trial the current user's name and password. Tried to launch the znc server and that failed: $ systemctl status znc ● znc.service - ZNC, an advanced IRC bouncer Loaded: loaded (/usr/lib/systemd/system/znc.service; enabled; vendor preset:> Active: failed (Result: exit-code) since Sun 2020-07-26 09:36:24 BST; 8s ago Process: 7660 ExecStart=/usr/bin/znc -f (code=exited, status=1/FAILURE) Main PID: 7660 (code=exited, status=1/FAILURE) However, it was possible to raise the web based login page by pointing the browser at <IP address of local machine>:1027. Filled in the user/password fields and that worked. Configuration settings were visible. Used webadmin to add a message of the day and edit the listening ports - added 3456 and was able to login to another webadmin page at localhost:3456/. 1 IRC connection is recorded, no clients. That is probably OK but I have no clue about this bounce business or what is meant by "client". Having got this far it would seem that znc is actually working but testing has to stop at this point. Not very satisfactory... Updated the packages. $ znc & [1] 17036 lcl@canopus:znc $ [ .. ] Checking for list of available modules... [ .. ] Opening config [/home/lcl/.znc/configs/znc.conf]... [ !! ] ZNC is already running on this config. [ ** ] Unrecoverable config error. $ killall znc $ znc & [1] 23104 lcl@canopus:znc $ [ .. ] Checking for list of available modules... [ .. ] Opening config [/home/lcl/.znc/configs/znc.conf]... [ ** ] Found old config from ZNC 1.7.4. Saving a backup of it. [ .. ] Creating a config backup... [ >> ] /home/lcl/.znc/configs/znc.conf.pre-1.8.1 [ .. ] Loading global module [webadmin]... [ .. ] Binding to port [1027]... [ .. ] Binding to port [3456]... [ ** ] Loading user [lcl] [ ** ] Loading network [freenode] [ .. ] Loading network module [simple_away]... [ >> ] [/usr/lib64/znc/simple_away.so] [ .. ] Adding 1 servers... [ .. ] Loading user module [chansaver]... [ .. ] Loading user module [controlpanel]... [ .. ] Forking into the background... [ >> ] [pid: 23108] [ ** ] ZNC 1.8.1 - https://znc.in Logged in to ZNC at localhost:3456/ and checked traffic. 1 IRC connection, 0 clients. Joined #mageia-qa using irssi in another terminal but NickServ told me I was not quick enough to identify with usual nickname and logged me in as a guest. No idea what is going on there. Traffic info still records 1 IRC connection. Giving up at this stage. znc looks functional but the IRC bouncing thing needs to be tested by somebody who understands the methodology, so no green light.
CC: (none) => tarazed25
@ Len, I read thru the previous update bug 23327. We have been fiddling with that on and off for more than a year, no one else jumped in and finally ok'ed on clean install. Trying to get to the bottom of this seems like a waste of time.
CC: (none) => herman.viaene
Right you are Herman - reckon you are right. Let's send it on its way.
Whiteboard: (none) => MGA7-64-OK
Sounds like a plan to me, guys. Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0316.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
I have recently discovered this bug these days and luckily I found ways to fix it here. https://capybaraclicker.co/
CC: (none) => thursday0147