Package: znc Version: 0.045 Tags: secutity Severity: grave ----- Forwarded message from Uli <[EMAIL PROTECTED]> -----
From: Uli <[EMAIL PROTECTED]> Date: Thu, 14 Dec 2006 22:21:48 +0100 To: [EMAIL PROTECTED] Subject: ZNC 0.045 contains a security flaw User-Agent: Thunderbird 1.5.0.8 (X11/20061111) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Joey Hess, Im mailing you because ZNC contains a security flaw where a logged-in user could get any file on the host running znc via dcc using /msg *status get /etc/passwd. This is described at http://sourceforge.net/forum/forum.php?thread_id=1618535&forum_id=396039 There is already a fix for it: http://znc.cvs.sourceforge.net/znc/znc/Client.cpp?r1=1.12&r2=1.13&view=patch There is a small regression (files like 'this..file' are treated as dangerous), but for now the patch should be fine. You dont need to contact upstream about this bug because im already the upstream-guy ;). As soon as there is a better patch on that issue ill let you know. We are planning on releasing znc 0.046 somewhen in february, though there is still some stuff to do. Just that you know :). Uli Schlachter aka Psychon aka a znc dev ;) - -- Who is this LAN and why makes he so many partys? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFgcBrABixOSrV998RAuEfAKC/ay+W+YVV24UI6DK24v1uNkN4ZQCfXgOR Pn8+R5BRf7mWQ0Hoqf2kqUg= =ZhhD -----END PGP SIGNATURE----- ----- End forwarded message ----- -- see shy jo
signature.asc
Description: Digital signature
