Source: ngircd
Version: 26.1-1
Severity: important
Tags: patch
Dear Maintainer,
The master branch of the upstream ngircd changelog informs about an
SSL security related patch [1] that is missing in the -26-1 ngircd debian
package patches.
Here's the Changelog entry:
[[
Respect "SSLConnect" option for incoming connections and do not accept
incoming plain-text ("non SSL") server connections for servers configured
with "SSLConnect" enabled. This change prevents an authenticated
client-server being able to force the server-server to send its password
on a plain-text connection when SSL/TLS was intended.
]]
It may be interesting to cherry-pick the patch that fixes this issue [2].
I added it by hand and didn't detect any issue compiling or running
ngircd.
[1]
https://github.com/ngircd/ngircd/blob/c1c0bca0e2fa7b678a18155abaf364fcb9dab427/ChangeLog#L53
[2]
https://github.com/ngircd/ngircd/commit/21c1751b045b0be49e584a4ba191a330e0c381bb
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Browsing the changelog on the github repository for the ngircd server.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I cherry-picked and added the upstream patch from github [2] to the
debian package source obtained thru apt-get source, then compiled and
installed the package.
* What was the outcome of this action?
Although I cannot run the test scenario, this patches the SSL issue
reported by the code developer, avoid tricking the server to send
its password on the clear in server-server connections..
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
