Bug#903788: marked as done (znc: CVE-2018-14056: path traversal flaw)

[Debian Bug Tracking System]

Your message dated Wed, 18 Jul 2018 11:19:52 +0000
with message-id <e1ffkuq-00024t...@fasolo.debian.org>
and subject line Bug#903788: fixed in znc 1.7.1-1
has caused the Debian Bug report #903788,
regarding znc: CVE-2018-14056: path traversal flaw
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
903788: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903788
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: znc
Version: 0.045-1
Severity: grave
Tags: patch security upstream
Justification: user security hole

Hi

See https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773
allowing path traversal and can lead to expose some files which
shouldn't be, or potentially lead to a crash.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: znc
Source-Version: 1.7.1-1

We believe that the bug you reported is fixed in the latest version of
znc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 903...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatth...@debian.org> (supplier of updated znc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 18 Jul 2018 10:01:05 +0200
Source: znc
Binary: znc znc-dev znc-perl znc-python znc-tcl
Architecture: source amd64
Version: 1.7.1-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatth...@debian.org>
Changed-By: Patrick Matthäi <pmatth...@debian.org>
Description:
 znc        - advanced modular IRC bouncer
 znc-dev    - advanced modular IRC bouncer (development headers)
 znc-perl   - advanced modular IRC bouncer (Perl extension)
 znc-python - advanced modular IRC bouncer (Python extension)
 znc-tcl    - advanced modular IRC bouncer (Tcl extension)
Closes: 898364 903787 903788
Changes:
 znc (1.7.1-1) unstable; urgency=high
 .
   * New upstream release.
     - Fixes privilege escalation by injecting rogue values in znc.conf as
       described in CVE-2018-14055.
       Closes: #903787
     - Fixes path traversal as described in CVE-2018-14056.
       Closes: #903788
   * Bump Standards-Version to 4.1.5.
   * Merge 1.6.5-1+deb9u1 changelog.
   * Apply patch from Unit193 to enable tests at build time.
     Closes: #898364
   * Adjust lintian overrides.
   * Move pkgconfig znc.pc file to multiarch directory.
Checksums-Sha1:
 c5615fc80c2b2b64fd2c65a39314fafd3d024a2b 2225 znc_1.7.1-1.dsc
 6ad5ace06eb99e8b37adc1a9994e48b98cf14262 2041669 znc_1.7.1.orig.tar.gz
 44908835dd5ea7086ec8d7ecaeaf20281b58f0fc 566 znc_1.7.1.orig.tar.gz.asc
 caf2bc2d53babbea888bede803908d2e8e74e56a 16936 znc_1.7.1-1.debian.tar.xz
 7bd929b9ea65cb92530efc00628987a2704e7bc9 20999400 znc-dbgsym_1.7.1-1_amd64.deb
 37539d6f6fb6cbc404d86f52e6d5cf6febec2ee6 113036 znc-dev_1.7.1-1_amd64.deb
 76ee78f4354a242e47bd7d6dc04d7285b4a35220 4599296 
znc-perl-dbgsym_1.7.1-1_amd64.deb
 39f703225683ee937eb063a303d978387ba8bebe 733312 znc-perl_1.7.1-1_amd64.deb
 45ea53508d483c1aea15b6e570a7dc10bc8f7cbd 5547244 
znc-python-dbgsym_1.7.1-1_amd64.deb
 1c5c031a2949ee6e3175ff94c094e64c7b51323a 730940 znc-python_1.7.1-1_amd64.deb
 cb71c9a5fa74b169a2aa1644678f560e9c7a2719 351108 
znc-tcl-dbgsym_1.7.1-1_amd64.deb
 d4a404d86fe1db25666e4edca27e7c49c3c3430e 74420 znc-tcl_1.7.1-1_amd64.deb
 a8059ed72cd5a900659f88ce5f04dce5d1d976e4 9818 znc_1.7.1-1_amd64.buildinfo
 07a5c74e9b34b9eba27e692b1b00c4ac6389f683 1652620 znc_1.7.1-1_amd64.deb
Checksums-Sha256:
 3f07e74ccdb10eab454c3f5dd391761ef0cb6d1f8dd192c8f006abbb1799033c 2225 
znc_1.7.1-1.dsc
 44cfea7158ea05dc2547c7c6bc22371e66c869def90351de0ab90a9c200d39c4 2041669 
znc_1.7.1.orig.tar.gz
 032db4ce966dde2ce25acd4637cd2ea256149560b4d6e21696af860b6f72b38f 566 
znc_1.7.1.orig.tar.gz.asc
 6ee2e99cb3308148801c46c80c5dd6c47ab059920dcae8480a1cde067d903b42 16936 
znc_1.7.1-1.debian.tar.xz
 ce06497d36df8c230024859847ea0d33c278abad35efed853193c23f63a5ea8b 20999400 
znc-dbgsym_1.7.1-1_amd64.deb
 b22911fe6534a8512ade30c6e940dd9c1fb027cfb6f6fe698b2069a5c194b97b 113036 
znc-dev_1.7.1-1_amd64.deb
 5216ea02df6c40e8f73a5cbd8f9686524cc306ebe005f802d099f9c97c6d6f38 4599296 
znc-perl-dbgsym_1.7.1-1_amd64.deb
 2dcaba409b31553adb745f0f79802d165cebb8bfa2193eeb42222f61203a2c52 733312 
znc-perl_1.7.1-1_amd64.deb
 94742083cf7d674f3492fe1d712715877cd5f18e55966cd8b8f695493e60cdad 5547244 
znc-python-dbgsym_1.7.1-1_amd64.deb
 bebe405b8286d60d63ddd9b49376f355a863328e8d63b8c5c4ca60e689e0eb80 730940 
znc-python_1.7.1-1_amd64.deb
 ba3c9558fb24ebcd79ceef347545d6887e46a1dd1c77a8c20cc49a20d66e04a7 351108 
znc-tcl-dbgsym_1.7.1-1_amd64.deb
 051880d3e0b406dccce95fcc7e3ade6fa37691e90ecf091c13c6ecc2ce2ce7cd 74420 
znc-tcl_1.7.1-1_amd64.deb
 838d4e7bda111c9924b69ebff21df471b673270e63e674b3a319ad0fff8216a9 9818 
znc_1.7.1-1_amd64.buildinfo
 6c90385a13c4408115a7bf77a852936ef174ebbf60733c3ee272d325950ccebc 1652620 
znc_1.7.1-1_amd64.deb
Files:
 01d6b2a3c33b5da90a200f1f3c0e2050 2225 net optional znc_1.7.1-1.dsc
 1ca921308c5ba4f31c2d50b87d9fc71c 2041669 net optional znc_1.7.1.orig.tar.gz
 16028b4e6357189131c8381caaa1e0fa 566 net optional znc_1.7.1.orig.tar.gz.asc
 9f0773c0b1b8ff94df4dc34bf3492ca7 16936 net optional znc_1.7.1-1.debian.tar.xz
 135dea6f2f8c06d59e3ebc7e89cda2bf 20999400 debug optional 
znc-dbgsym_1.7.1-1_amd64.deb
 db2e1ff38c41dd9464874312d98079cc 113036 net optional znc-dev_1.7.1-1_amd64.deb
 5e0f6db02fb2a122bb52cc996e59e059 4599296 debug optional 
znc-perl-dbgsym_1.7.1-1_amd64.deb
 09011572cf3f35a6808aa4bbfb39ef9e 733312 net optional znc-perl_1.7.1-1_amd64.deb
 8d0b526f41591091aa679379a7ae981d 5547244 debug optional 
znc-python-dbgsym_1.7.1-1_amd64.deb
 b575c920a39310e60624db4bb5de3b29 730940 net optional 
znc-python_1.7.1-1_amd64.deb
 1da295f6cf73d430a5db9ea4a49b7707 351108 debug optional 
znc-tcl-dbgsym_1.7.1-1_amd64.deb
 ab9ab2e5440d6cf1b3dab073d598b482 74420 interpreters optional 
znc-tcl_1.7.1-1_amd64.deb
 efa6a2925249622401d18bb301f4b559 9818 net optional znc_1.7.1-1_amd64.buildinfo
 03f8d44ea6d92e6c8cc72dd8738570b6 1652620 net optional znc_1.7.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAltPHZcACgkQEtmwSpDL
2OTDBw//RB0YP0JNH8KBJKzbC28LxeXDsxx4wwin4Bn1wo9BE7fUL5+6ov/4Iybk
JBEbkm4MZmJm+DNfYCXaU9y3bqWDnttimhz+jU5JJ0SvXyP+SHwmNPOwLdg3nGHC
YqqR7HDyPucDmbTYBj+21gA2HQeu9Tp2Ocznj6mrmcbJrRVbgirOjPdde1o4XmxI
l5jnUHuO9pi6b0JIqOJeN51SDDrhQ19VL/A7cm01qlUwe1XkRr7UiFIiMhHufib3
x9IKm84DO16obgsZ8FDExGPZnsvPAVhnAjjy6BFOACkamCZJqYgoeZGR7tSCG8/X
YlEXsi6LEVKPKoGu9crqYt1Gd5Dat4DK+KtpGNOLDjKEwKw0iY5JiTJP6ikUdjTO
mhwqFTlXh9NounDjTazzS5DyBHHLKs+r3w2KQuIOL3sRD5YcM2fss+SlJLHI2gXD
QSbMoxBvCcXORX45wm5NYWtF4d6hfpEMhv24UCnHVImJjwSQwKO25KimuxGsaFjS
65VMWr/ntuDmJsjirXwUx256F+C7hF13hbJ9KTgPgFEfy6WBQZhE499ec4oMqDsH
L/vtWqi4LGGcbSFO2Z1Xpj+q5r2WNPLd5aikvnVmqqu7DcS4KQ3YYw6g6Y46Keqg
rojHUdd89CFbeIvw80jLQZXP+kjv50Yic9uZ+i+dcRbfgx2dbww=
=1m8u
-----END PGP SIGNATURE-----

--- End Message ---