Your message dated Sun, 13 Apr 2008 23:16:00 +0200
with message-id <[EMAIL PROTECTED]>
and subject line ircii-pana has been removed from Debian, closing #432120
has caused the Debian Bug report #432120,
regarding ircii-pana: CVE-2007-3360: remote IRC servers can execute arbitrary
commands on client
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
432120: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432120
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: ircii-pana
Version: 1:1.1-5
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2007-3360 [0]:
"hook.c in BitchX 1.1-final allows remote IRC servers to execute
arbitrary commands by sending a client certain data containing NICK and
EXEC strings, which exceeds the bounds of a hash table, and injects an
EXEC hook function that receives and executes shell commands."
This vulnerability introduces a security hole allowing access to the
accounts of users who use the package. A sample exploit is available
[1]; while I did not see the output of 'ps -aux' when I connected to a
server running the exploit, I did get a segmentation fault. There does
not appear to be a patch available.
Please mention the CVE in your changelog.
Thanks,
Alec
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3360
[1] http://www.milw0rm.com/exploits/4087
- -- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGj9P3Aud/2YgchcQRAuYMAKDlG2rI6W9LjjZq0JnsUVqvbkgx3QCdG6eX
GvPa52B/XwKnrM6Y3Jz7mRQ=
=YRT1
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Version: 1:1.1-5+rm
The ircii-pana package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.
For more information about this package's removal, read
http://bugs.debian.org/451373 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Lucas
--- End Message ---
