-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : znc Version : 1.4-2+deb8u1 CVE IDs : CVE-2018-14055 CVE-2018-14056 Debian Bugs : #903787 #903788
It was discovered that there were two issues in znc, a modular IRC bouncer: * There was insufficient validation of lines coming from the network allowing a non-admin user to escalate his privilege and inject rogue values into znc.conf. (CVE-2018-14055) * A path traversal vulnerability (via "../" being embedded in a web skin name) to access files outside of the allowed directory. (CVE-2018-14056) For Debian 8 "Jessie", these issues have been fixed in znc version 1.4-2+deb8u1. We recommend that you upgrade your znc packages. Regards, - -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAltLOdwACgkQHpU+J9Qx Hlh4qA/+P0hPt4hZPItW3Am3QKDqY2a2g+TQYhJTpuoFjB+w8e8tUuRz6rvPApEw IV4RERsGwLUXVe5hxRbtskg1Y72zvrpkhHxPlbES75IhZOzzjLuOftebfOvs4xiJ nuy44TgzDwN1HSt5kMIm1iXTCCM5Blqhy9KaDORYypnFs1gUavPPUNPW3Nt6x2gp JCc1ATUq+vuyCbGzFqdx51hOciQ7PvkHeT7oVw/UaWEWwI4cea4n7TmEGEQxNmzc mFxMqrMsgvOANdo4hR/Rrqn3NW+P+1smnHQBx4iCOC28Vl7KC92RC8RmUXbKjqgW gTbHuORhY4DV9GBj0Q2niP/Rwra01yyjeQEoaW4rRIwRBkNFZKf3Z+jgUmganrfM PAoZJispP8mX+AjkQbH/fD3ARr0Lqi2V7cyRhFI6tJrIv2WRWWmek60RItvqbUS9 8gcchTyi8tnNGwwU7YjMoLuVIAPjHLCsh+XKu6pCj2/tr92pxjZtr/znRoM998Wy 2IOTg6zrMT3QVsGXnEZ468WmhGww8avPYxr39nu768tCIR16KYoCoLtoFkIL7NRO gLCJ6CC2cpa0bTx/K+EGDohfyzBGzoKObWmF60Qmui4wOgw/Z/j0qqo0h1PVr9n/ Unk597xPxaLzF4uBttetHsHBI+d98WvJrRpR1Y6YcIxucR0UE1M= =4pUk -----END PGP SIGNATURE-----