Source: charybdis Version: 4.1-1 Severity: grave Tags: security Upstream released Charybdis 4.0.1 and 4.1.1 fixing a security issue which, apparently, is "with the PASS command and duplicate server instances", at least according to the NEWS file:
https://github.com/charybdis-ircd/charybdis/blob/charybdis-4.1.1/NEWS.md The hotfix seems to be: https://github.com/charybdis-ircd/charybdis/commit/d4b2529a61fb48ebcd54bc0fcc6f400f97bfe251 And it seems like 3.x series (so stable and earlier) are not affected, but I need to double-check that. Upstream requested a CVE through the DWF but that process has stalled. I recommended they go directly with MITRE or get an OVE, but they instead generated the following UUID to track this issue: a4c15999-a0b6-11e8-88af-00805fc181fe Go figure... -- System Information: Debian Release: 9.5 APT prefers stable APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
