Your message dated Wed, 10 May 2006 13:44:44 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Fixed in security.d.o
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: cgiirc
Version: 0.5.4
Severity: grave
Tags: security
Justification: user security hole
Upstream has just released 0.5.8, which fixes a buffer overflow in
client.c amongst other things. The 0.5.8 timeline can be seen here:
http://cvs.cgiirc.org/timeline?d=300&e=2006-Apr-30&c=2&px=&s=0&dm=1&x=1&m=1
The patches can be seen here:
http://cvs.cgiirc.org/chngview?cn=283
http://cvs.cgiirc.org/chngview?cn=263
There is no CVE assigned yet as far as I know.
0.5.8 also adds a login secret feature to help stop flooding:
> I have also added a feature which hopefully will stop some of the
> lamer attacks on CGI:IRC. If you set the 'login secret' option then
> an authentication token is added to the URL so it is not enough to
> simply request nph-irc.cgi like some flooding scripts have done.
http://cvs.cgiirc.org/chngview?cn=277
--
bye,
pabs
http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Version: 0.5.4-6sarge1
This has been fixed in security.
DSA: http://www.debian.org/security/2006/dsa-1052
Elrond
--- End Message ---
