Package: znc Severity: normal Potential security implications here, but not directly exploitable—will leave for the maintainer to determine how serious the problem is.
Debian's znc versions follow the upstream convention of advertising themselves when the user exits them. This practice isn't terribly wise on its own, but it also advertises the axact version of Debian (or derivative) being run by the host. Worse, it's not even information that must be queried—it's spammed into IRC channels upon quit. A few examples from today. <-- nick (~u@h) has quit (Quit: ZNC 1.6.5+deb1+deb9u1 - http://znc.in) <-- nick (~u@h) has quit (Quit: ZNC 1.6.6+deb1ubuntu0.1 - http://znc.in) <-- nick (~u@h) has quit (Quit: ZNC 1.6.5+deb1+deb9u1 - http://znc.in) And one counter-example of how changing the default might be a good idea: <-- nick (~u@h has quit (Quit: ZNC - https://znc.in) As the host part of the u@h is often not concealed in any way, spamming this information into a public forum might provide a nefarious user with information for an attack of opportunity against an unprotected host. The other way someone might usually obtain this information (CTCP request) in most clients alerts the user that someone's asking, and can be replied to with anything (or nothing)—I don't know if that's true of znc. I mean, I suppose going into a crowded room and shouting something like the OS you run exactly, that you haven't installed security updates in over two weeks, and your IP address is something the user is perfectly happy to do. Debian shouldn't preconfigure software to potentially do that by default. I'd say this would warrant a 1.6.5-1+deb9u2 to disable that by default—but that's up to you and the security team. :) Joseph
