Source: ngircd Version: 26.1-1 Severity: important Tags: patch Dear Maintainer,
The master branch of the upstream ngircd changelog informs about an SSL security related patch [1] that is missing in the -26-1 ngircd debian package patches. Here's the Changelog entry: [[ Respect "SSLConnect" option for incoming connections and do not accept incoming plain-text ("non SSL") server connections for servers configured with "SSLConnect" enabled. This change prevents an authenticated client-server being able to force the server-server to send its password on a plain-text connection when SSL/TLS was intended. ]] It may be interesting to cherry-pick the patch that fixes this issue [2]. I added it by hand and didn't detect any issue compiling or running ngircd. [1] https://github.com/ngircd/ngircd/blob/c1c0bca0e2fa7b678a18155abaf364fcb9dab427/ChangeLog#L53 [2] https://github.com/ngircd/ngircd/commit/21c1751b045b0be49e584a4ba191a330e0c381bb *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Browsing the changelog on the github repository for the ngircd server. * What exactly did you do (or not do) that was effective (or ineffective)? I cherry-picked and added the upstream patch from github [2] to the debian package source obtained thru apt-get source, then compiled and installed the package. * What was the outcome of this action? Although I cannot run the test scenario, this patches the SSL issue reported by the code developer, avoid tricking the server to send its password on the clear in server-server connections.. -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled