OK krw@ .... Ken
> On Jan 5, 2017, at 11:43 AM, Stuart Henderson <[email protected]> wrote: > > Works for me. OK? > > (There is also a 1.0.0 release now, but that will require further > testing). > > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/irssi/Makefile,v > retrieving revision 1.66 > diff -u -p -r1.66 Makefile > --- Makefile 25 Oct 2016 12:25:32 -0000 1.66 > +++ Makefile 5 Jan 2017 16:42:13 -0000 > @@ -2,7 +2,7 @@ > > COMMENT = modular IRC client with many features (ipv6,socks,proxy) > > -V = 0.8.20 > +V = 0.8.21 > DISTNAME = irssi-$V > PKGSPEC = irssi-=$V > > Index: distinfo > =================================================================== > RCS file: /cvs/ports/net/irssi/distinfo,v > retrieving revision 1.23 > diff -u -p -r1.23 distinfo > --- distinfo 22 Sep 2016 17:52:46 -0000 1.23 > +++ distinfo 5 Jan 2017 16:42:13 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (irssi-0.8.20.tar.gz) = 9eIPdqqCNzA8Rj4IrbOj46QAokupWs9z6bBo1jQXP2Y= > -SIZE (irssi-0.8.20.tar.gz) = 1565952 > +SHA256 (irssi-0.8.21.tar.gz) = QsGjWnC1H+zA1GvBrwqSLsjKntgS1zAEsIP+Bptiqjs= > +SIZE (irssi-0.8.21.tar.gz) = 1566527 > > > ----- Forwarded message from Ailin Nemui <[email protected]> ----- > > From: Ailin Nemui <[email protected]> > Date: Thu, 05 Jan 2017 15:45:20 +0100 > To: [email protected] > Reply-To: [email protected] > X-Mailer: Evolution 3.22.2 > Subject: [oss-security] CVE Request: Irssi Multiple Vulnerabilities (2017/01) > > Dear oss-security List, > > Please provide some CVEs for the following issues. > > Thanks, > > > Multiple vulnerabilities in Irssi [1] > ===================================== > > > Description > ----------- > > Four vulnerabilities have been located in Irssi. > > (a) A NULL pointer dereference in the nickcmp function found by Joseph > Bisch. (CWE-690) > > (b) Use after free when receiving invalid nick message (Issue #466, CWE-146) > > (c) Out of bounds read in certain incomplete control codes found by > Joseph Bisch. (CWE-126) > > (d) Out of bounds read in certain incomplete character sequences found > by Hanno Böck and independently by J. Bisch. (CWE-126) > > > Impact > ------ > > These issues may result in denial of service (remote crash). > > > Affected versions > ----------------- > > (a) All Irssi versions that we observed > (b) All Irssi versions that we observed > (c) Irssi 0.8.17 and later > (d) Irssi 0.8.18 and later > > > Fixed in > -------- > > Irssi 0.8.21, Irssi 1.0.0 > > > Recommended action > ------------------ > > Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release > without any new features. > > After installing the updated packages, one can issue the /upgrade > command to load the new binary. TLS connections will require > /reconnect. > > > A Note to Distributors > ---------------------- > > First of all, thanks to every maintainer for their awesome job in > packaging Irssi and backporting security fixes. > > When we had to release a security advisory last year with Irssi > 0.8.20, we noticed there was a huge confusion amongst Ubuntu users > about whether their Irssi version was safe to use. > > Since all our releases 0.8.19, 0.8.20 and 0.8.21 have been bug > fix only, we think distributions should just ship the release. > > But if the security fixes only are backported on top of an old > version, we would like to urge distributions to consider indicating > this in a way that is visible inside Irssi. One way to do this would > be to manually overwrite the PACKAGE_VERSION and marking your package > as patched. This can be done for example like this: > > ./configure PACKAGE_VERSION=0.8.17-sa201701 > > > You can then check the version from inside Irssi with /eval echo $J > > As an added benefit over relying on dpkg, this will also correctly > report whether you had /upgrade done or not. We are looking for a ways > to make this easier to handle for both packagers and us, so if you > have a good idea on this matter please speak forth. > > > Mitigating facts > ---------------- > > (a) requires control over the ircd > > (b), (d) require control over the ircd or otherwise can be triggered / > avoided by the user themselves > > > Patch > ----- > > https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d > > > References > ---------- > > [1] https://irssi.org/security/irssi_sa_2017_01.txt > > ----- End forwarded message ----- >
