Package: cgiirc Version: 0.5.4 Severity: grave Tags: security Justification: user security hole
Upstream has just released 0.5.8, which fixes a buffer overflow in client.c amongst other things. The 0.5.8 timeline can be seen here: http://cvs.cgiirc.org/timeline?d=300&e=2006-Apr-30&c=2&px=&s=0&dm=1&x=1&m=1 The patches can be seen here: http://cvs.cgiirc.org/chngview?cn=283 http://cvs.cgiirc.org/chngview?cn=263 There is no CVE assigned yet as far as I know. 0.5.8 also adds a login secret feature to help stop flooding: > I have also added a feature which hopefully will stop some of the > lamer attacks on CGI:IRC. If you set the 'login secret' option then > an authentication token is added to the URL so it is not enough to > simply request nph-irc.cgi like some flooding scripts have done. http://cvs.cgiirc.org/chngview?cn=277 -- bye, pabs http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
