Package: konversation Version: 0.15-2 Severity: grave Tags: security sarge sid
These problems have been discovered by Wouter Coekaerts in the konversation IRC client. Affected are version 0.15, CVS until 18-19/01/2005, and some older versions too. They are fixed in 0.15.1. When you fix these problems, please mention the corresponding CVE id in the changelog. URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0129 Reference: FULLDISC:20050119 Multiple vulnerabilities in Konversation Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2005-January/031033.html The Quick Buttons feature in Konversation 0.15 allows remote attackers to execute certain IRC commands via a channel name containing "%" variables, which are recursively expanded by the Server::parseWildcards function when the Part Button is selected. URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0130 Reference: FULLDISC:20050119 Multiple vulnerabilities in Konversation Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2005-January/031033.html Certain Perl scripts in Konversation 0.15 allow remote attackers to execute arbitrary commands via shell metacharacters in (1) channel names or (2) song names that are not properly quoted when the user runs IRC sripts. URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0131 Reference: FULLDISC:20050119 Multiple vulnerabilities in Konversation Reference: URL:http://lists.netsys.com/pipermail/full-disclosure/2005-January/031033.html The Quick Connection dialog in Konversation 0.15 inadvertently uses the user-provided password as the nickname instead of the user-provided nickname when connecting to the IRC server, which could leak the password to other users. Regards, Joey -- Have you ever noticed that "General Public Licence" contains the word "Pub"? Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
