Hi, I did not get an answer from the security team for longer than a week now. Maybe the mail did get lost somewhere?
Regards, Ansgar Ansgar Burchardt <ans...@43-1.org> writes: > POE::Component::IRC did not validate the arguments of commands to send > to the IRC server. If a user could trick a bot into sending a string > containing \r or \n, this would allow injection or arbitrary IRC > commands. This was fixed upstream in versions 6.14, 6.30 and finally > solved in 6.32. > > Lenny is also affected from this problem. It can be reproduced using > the attached minimalistic IRC bot in 581194.pl: using > libpoe-component-perl from Lenny the bot will exit from IRC after > seeing a message in #test-1234 and replying to it. > > I prepared a patch using the same fix as upstream introduced in 6.32: > stripping \r and \n and any following characters from commands being > send. Upstream confirmed in IRC that this should be enough to fix the > bug. > > Security Team: Should we upload the proposed fix to stable-security or > should this rather be fixed in the next point release of Lenny? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
