Bug#906879: marked as done (security issue with the PASS command and duplicate server instances)

Debian Bug Tracking System Tue, 21 Aug 2018 15:27:33 -0700

Your message dated Tue, 21 Aug 2018 22:26:24 +0000
with message-id <[email protected]>
and subject line Bug#906879: fixed in charybdis 4.1.1-1
has caused the Debian Bug report #906879,
regarding security issue with the PASS command and duplicate server instances
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
906879: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906879
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: charybdis
Version: 4.1-1
Severity: grave
Tags: security

Upstream released Charybdis 4.0.1 and 4.1.1 fixing a security issue
which, apparently, is "with the PASS command and duplicate server
instances", at least according to the NEWS file:

https://github.com/charybdis-ircd/charybdis/blob/charybdis-4.1.1/NEWS.md

The hotfix seems to be:

https://github.com/charybdis-ircd/charybdis/commit/d4b2529a61fb48ebcd54bc0fcc6f400f97bfe251

And it seems like 3.x series (so stable and earlier) are not affected,
but I need to double-check that.

Upstream requested a CVE through the DWF but that process has
stalled. I recommended they go directly with MITRE or get an OVE, but
they instead generated the following UUID to track this issue:

a4c15999-a0b6-11e8-88af-00805fc181fe

Go figure...

-- System Information:
Debian Release: 9.5
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Source: charybdis
Source-Version: 4.1.1-1

We believe that the bug you reported is fixed in the latest version of
charybdis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <[email protected]> (supplier of updated charybdis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 21 Aug 2018 17:52:12 -0400
Source: charybdis
Binary: charybdis
Architecture: source
Version: 4.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Antoine Beaupré <[email protected]>
Changed-By: Antoine Beaupré <[email protected]>
Description:
 charybdis  - fast, scalable irc server
Closes: 906879
Changes:
 charybdis (4.1.1-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #906879).
Checksums-Sha1:
 bae9bc11dd76b9cb7226d5bb440748cfa002c32c 1777 charybdis_4.1.1-1.dsc
 854e491bca6c7cca91b931fd257e8cc93f6baf17 2691216 charybdis_4.1.1.orig.tar.gz
 6f058ad62a2712a57c33821319a539fec4b7a3e0 11776 charybdis_4.1.1-1.debian.tar.xz
 bb2ba8ad02d1ad9fb5642bcb457b544ae22a2b5f 5959 charybdis_4.1.1-1_amd64.buildinfo
Checksums-Sha256:
 a035388651d44d40ee9a6a288b33b3539ed007c63c7079332ce9573bf0366447 1777 
charybdis_4.1.1-1.dsc
 037eacaaf3076f60fc5ca6cfbad349f2d59694f788535f3b28e633529f56c2c1 2691216 
charybdis_4.1.1.orig.tar.gz
 782400e212c6d41abaf9a12b9eaabc082961882f57ce9872207c7f791a249e2b 11776 
charybdis_4.1.1-1.debian.tar.xz
 3b84d82bd26b5d68c074018623069a9769cfa39cb7a82334c2dd4774a08a6a9b 5959 
charybdis_4.1.1-1_amd64.buildinfo
Files:
 d865581e0d127f7b69e61cc7f3fffe0b 1777 net optional charybdis_4.1.1-1.dsc
 0aa13e596d0913cfb5dd117f42a2be59 2691216 net optional 
charybdis_4.1.1.orig.tar.gz
 c5259c1b996ed3b88dda590d3f9b23fb 11776 net optional 
charybdis_4.1.1-1.debian.tar.xz
 9ae8b26ddf7fb1e469113d1fda78915b 5959 net optional 
charybdis_4.1.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlt8itoACgkQPqHd3bJh
2Xs/UAf7BvSGqbsMoE6KNKVlnIJ3aFF3WixtNjQsGKNynyyZ0/zXy161f89Akf02
f/96+4qrw0x4XJMy8G9z3DUEfxE0dJsfau71QByUF/6fIPf3CQU4QZl9I/kenuN7
7KarJ9TCUcLrNrMC+VUs+G67ykZZlGQ8PYtNKD8QQwfWGQQP5quaupzoCrIo4n6x
d15GupHb9ijmrMeqFT5FIt3xBXlpaPW4M4Pg43EsJb3TVQvvDLEti7Qij/3thOlI
tz8LFG3Vtg1w+M2SimzH9eTwaVLT/NPVYlCDhZVlg9G1iNOBfAQpnFAIoMKyV2Xh
Y+/2rjSut94U0PCU3sAJUA6cDeVtnQ==
=P3Bd
-----END PGP SIGNATURE-----

--- End Message ---

Bug#906879: marked as done (security issue with the PASS command and duplicate server instances)

Reply via email to