03.06.2020 11:25, Salvatore Bonaccorso пишет: > Source: znc > Version: 1.8.0-1 > Severity: important > Tags: security upstream > > Hi, > > The following vulnerability was published for znc. > > CVE-2020-13775[0]: > | ZNC before 1.8.1-rc1 allows attackers to trigger an application crash > | (with a NULL pointer dereference) if echo-message is not enabled and > | there is no network. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-13775 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13775 > [1] https://github.com/znc/znc/commit/2390ad111bde16a78c98ac44572090b33c3bd2d8 > > Please adjust the affected versions in the BTS as needed, if my > understandig of the isuse is correctly then this was only introduced > in 1.8.0 while fixing another bug related to echo-messages, please > double check though.
Correct. MITRE changed the suggested description and left that and a few more details out. https://wiki.znc.in/ChangeLog/1.8.1 has a better text. > > Regards, > Salvatore > -- Best regards, Alexey "DarthGandalf" Sokolov
