That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/07/03/9 The problem is fixed in version 1.9.1 or with the following commit: https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e Mageia 9 is also affected.
Source RPM: (none) => znc-1.9.0-1.mga10.src.rpm, znc-1.8.2-21.mga9.src.rpmStatus comment: (none) => Fixed upstream in 1.9.1 and patch available from upsteamCVE: (none) => CVE-2024-39844Whiteboard: (none) => MGA9TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK. (CVE-2024-39844) References: https://www.openwall.com/lists/oss-security/2024/07/03/9 ======================== Updated packages in core/updates_testing: ======================== znc-1.8.2-21.1.mga9 znc-devel-1.8.2-21.1.mga9 znc-modperl-1.8.2-21.1.mga9 znc-modpython-1.8.2-21.1.mga9 from SRPM: znc-1.8.2-21.1.mga9.src.rpm
Status comment: Fixed upstream in 1.9.1 and patch available from upsteam => (none)Assignee: bugsquad => qa-bugsSource RPM: znc-1.9.0-1.mga10.src.rpm, znc-1.8.2-21.mga9.src.rpm => znc-1.8.2-21.mga9.src.rpmVersion: Cauldron => 9Status: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing znc-1.8.2-21.1.mga9.x86_64.rpm znc-modpython-1.8.2-21.1.mga9.x86_64.rpm znc-modperl-1.8.2-21.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: znc ################################################################################################## 2/3: znc-modpython ################################################################################################## 3/3: znc-modperl ################################################################################################## 1/3: removing znc-modperl-1.8.2-21.mga9.x86_64 ################################################################################################## 2/3: removing znc-modpython-1.8.2-21.mga9.x86_64 ################################################################################################## 3/3: removing znc-1.8.2-21.mga9.x86_64 ################################################################################################## Reference bug#26886 comment#4, but some things are changed the application not recommends use as root As user znc --makeconf [ .. ] Checking for list of available modules... [ ** ] [ ** ] -- Global settings -- [ ** ] [ ?? ] Listen on port (1025 to 65534): 1025 [ ?? ] Listen using SSL (yes/no) [no]: yes [ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: no [ .. ] Verifying the listener... [ ** ] Unable to locate pem file: [/home/katnatek/.znc/znc.pem], creating it [ .. ] Writing Pem file [/home/katnatek/.znc/znc.pem]... [ ** ] Enabled global modules [webadmin] [ ** ] [ ** ] -- Admin user settings -- [ ** ] [ ?? ] Username (alphanumeric): katnatek [ ?? ] Enter password: [ ?? ] Confirm password: [ ?? ] Nick [katnatek]: [ ?? ] Alternate nick [katnatek_]: [ ?? ] Ident [katnatek]: [ ?? ] Real name (optional): [ ?? ] Bind host (optional): [ ** ] Enabled user modules [chansaver, controlpanel] [ ** ] [ ?? ] Set up a network? (yes/no) [yes]: no [ ** ] [ .. ] Writing config [/home/katnatek/.znc/configs/znc.conf]... [ ** ] [ ** ] To connect to this ZNC you need to connect to it as your IRC server [ ** ] using the port that you supplied. You have to supply your login info [ ** ] as the IRC server password like this: user/network:pass. [ ** ] [ ** ] Try something like this in your IRC client... [ ** ] /server <znc_server_ip> +1025 katnatek:<pass> [ ** ] [ ** ] To manage settings, users and networks, point your web browser to [ ** ] https://<znc_server_ip>:1025/ [ ** ] [ ?? ] Launch ZNC now? (yes/no) [yes]: yes [ .. ] Opening config [/home/katnatek/.znc/configs/znc.conf]... [ .. ] Loading global module [webadmin]... [ .. ] Binding to port [+1025] using ipv4... [ ** ] Loading user [katnatek] [ .. ] Loading user module [chansaver]... [ .. ] Loading user module [controlpanel]... [ .. ] Forking into the background... [ >> ] [pid: 143248] [ ** ] ZNC 1.8.2 - https://znc.in Open https://localhost:1025/ it presents a login page Can login with my user and password Looks good
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0257.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED