Package: irssi-text
Version: 0.8.10-2
Severity: normal
Tags: patch
I think the information provided via CTCP VERSION is excessive. Kernel and cpu
platform is precisely the information an attacker would need to insert shellcode
in case a vulnerability is discovered.
Please consider reducing it:
--- irssi-0.8.10/src/irc/core/ctcp.c~ 2005-12-08 18:32:48.000000000 +0100
+++ irssi-0.8.10/src/irc/core/ctcp.c 2006-06-12 20:45:33.451706184 +0200
@@ -329,7 +329,7 @@
ctcp_cmds = NULL;
settings_add_str("misc", "ctcp_version_reply",
- PACKAGE" v$J - running on $sysname $sysarch");
+ PACKAGE" v$J");
settings_add_str("misc", "ctcp_userinfo_reply", "$Y");
settings_add_int("flood", "max_ctcp_queue", 5);
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-12-amd64-k8
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Versions of packages irssi-text depends on:
ii irssi 0.8.10-2 terminal based IRC client
irssi-text recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
