package cgiirc tags 365680 + confirmed thanks
On Tue, May 02, 2006 at 10:15:37AM +0800, Paul Wise wrote: [...] > Upstream has just released 0.5.8, which fixes a buffer overflow in > client.c amongst other things. The 0.5.8 timeline can be seen here: [...] Okay, I can confirm the buffer overflow. > http://cvs.cgiirc.org/chngview?cn=283 > http://cvs.cgiirc.org/chngview?cn=263 Okay, that helped in fixing it, my upcoming patch is based on this. > There is no CVE assigned yet as far as I know. I don't know, if the security team requires this. > 0.5.8 also adds a login secret feature to help stop flooding: > > > I have also added a feature which hopefully will stop some of the > > lamer attacks on CGI:IRC. If you set the 'login secret' option then > > an authentication token is added to the URL so it is not enough to > > simply request nph-irc.cgi like some flooding scripts have done. > > http://cvs.cgiirc.org/chngview?cn=277 I have decided to not backport this for the security release of 0.5.4. If the security team decides, that this is needed, I leave that to them. But AFAIK, it's only raising the DoS-burden a little. Elrond -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
