UbuntuUpdates.org

Package "znc"

Name: znc

Description:

advanced modular IRC bouncer

Latest version: 1.6.3-1ubuntu0.2
Release: xenial (16.04)
Level: updates
Repository: universe
Homepage: http://znc.sourceforge.net/

Links


Download "znc"


Other versions of "znc" in Xenial

Repository Area Version
base universe 1.6.3-1
security universe 1.6.3-1ubuntu0.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.6.3-1ubuntu0.2 2019-06-27 22:07:07 UTC

  znc (1.6.3-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Fix vulnerability that allows remote authenticated
    non-admin users to escalate privileges and execute arbitrary code by
    loading a module with a crafted name.
    - debian/patches/CVE-2019-12816.patch: Fix remote code execution and
      privilege escalation.
    - CVE-2019-12816

 -- Paulo Flabiano Smorigo <email address hidden> Wed, 26 Jun 2019 10:48:57 -0300

Source diff to previous version
CVE-2019-12816 Modules.cpp in ZNC before 1.7.4-rc1 allows remote authenticated non-admin users to escalate privileges and execute arbitrary code by loading a module

Version: 1.6.3-1ubuntu0.1 2018-08-07 07:06:54 UTC

  znc (1.6.3-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Privilege escalation for non-admin users (LP: #1781925)
    - debian/patches/CVE-2018-14055-1.patch: Remove newlines from incoming
      network configuration change directives. Based on upstream patch.
    - debian/patches/CVE-2018-14055-2.patch: Remove extra newlines when
      writing out configuration file. Based on upstream patch.
    - CVE-2018-14055
  * SECURITY UPDATE: Path traversal flaw allows access to files outside of
    skins (LP: #1781925)
    - debian/patches/CVE-2018-14056.patch: Replace path traversal components
      in skin names to ensure path traversal is not possible. Based on
      upstream patch.
    - CVE-2018-14056

 -- Alex Murray <email address hidden> Wed, 25 Jul 2018 16:08:05 +0930

1781925 Vulnerabilities in znc package CVE-2018-14055 CVE-2018-14056
CVE-2018-14055 ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming from the network, allowing a non-admin user to escalate his privilege and inje
CVE-2018-14056 ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a web skin name to access files outside of the intended skins directories.



About   -   Send Feedback to @ubuntu_updates