Package: atheme-services Version: 7.2.7 Severity: grave Tags: security Upstream changelog says:
This is a security release closing a memory leak that could be exploited by attackers to potentially cause a denial of service. Release 7.2.7 is affected; older releases are unaffected. See #539 for technical information. The upstream issue is https://github.com/atheme/atheme/pull/539 and doesn't have much more details. The patch is: https://github.com/atheme/atheme/pull/539/commits/a80355d2971f6453ef9c6c9507e8f0d16e55dd0f But then the fun part is that the fix introduced yet another DOS, which led to the release of 7.2.9: This is a security release fixing use after free that could potentially be abused by an attacker already having the privilege to use SASL impersonation to cause a denial of service. Users of 7.2.8 should update to version 7.2.9; older releases are not affected. Not sure if those issues should be treated separately, but since 7.2.8 wasn't packaged yet, maybe it's fine to have a single issue about this. A CVE was requested, but it is unclear where or if there was a response: https://github.com/atheme/atheme/pull/539#issuecomment-278204870 A. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing'), (1, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)