enable security collections

10 files changed, 0 insertions, 845 deletions

diff --git a/security/buf_pl_sa_2016.txt b/security/buf_pl_sa_2016.txt
deleted file mode 100644
index 7257538..0000000
--- a/security/buf_pl_sa_2016.txt
+++ /dev/null
@@ -1,73 +0,0 @@
-information disclosure vulnerability in buf.pl
-==============================================
-CWE Classification: CWE-732, CWE-538
-
-CVE-2016-7553 [1] was assigned to this bug.
-
-
-Description
------------
-
-An information disclosure vulnerability was found, reported and fixed
-in the buf.pl script by its author.
-
-
-Impact
-------
-
-Other users on the same machine may be able to retrieve the whole
-window contents after /UPGRADE when the buf.pl script is
-loaded. Furthermore, this dump of the windows contents is never
-removed afterwards.
-
-Since buf.pl is also an Irssi core script and we recommended its use
-to retain your window content, many people could potentially be
-affected by this.
-
-Remote users may be able to retrieve these contents when combined with
-other path traversal vulnerabilities in public facing services on that
-machine.
-
-
-Detailed analysis
------------------
-
-buf.pl restores the scrollbuffer between "/upgrade"s by writing the
-contents to a file, and reading that after the new process was spawned.
-Through that file, the contents of (private) chat conversations may leak to
-other users.
-
-
-Mitigating facts
-----------------
-
-Careful users with a limited umask (e.g. 077) are not affected by this bug.
-However, most Linux systems default to a umask of 022, meaning that files
-written without further restricting the permissions, are readable by any
-user.
-
-
-Affected versions
------------------
-
-All up to 2.13
-
-
-Fixed versions
---------------
-
-buf.pl 2.20 [2]
-
-
-Resolution
-----------
-
-Update the buf.pl script with the latest version from
-https://scripts.irssi.org
-
-
-References
-----------
-
-[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7553
-[2] https://scripts.irssi.org/scripts/buf.pl
diff --git a/security/index.html b/security/index.html
deleted file mode 100644
index af51403..0000000
--- a/security/index.html
+++ /dev/null
@@ -1,105 +0,0 @@
----
-layout: page
-title: Security
-permalink: security/
----
-
-Please report security issues to staff@irssi.org. Thanks!
-
-<h2>Past issues overview</h2>
-<table class="table">
-    <thead>
-	<tr class="text-nowrap">
-	    <th colspan="2">Links</th>
-	    <th>Exploitable</th>
-	    <th colspan="3">Versions affected</th>
-	    <th>Fixed</th>
-	    <th>Credit</th>
-	    <th colspan="2">Description</th>
-	</tr>
-    </thead>
-{% assign advisories = site.data.security %}
-{% for advisory in advisories reversed %}
-    <tbody>
-	<tr>
-	    <th colspan="3">{% if advisory.link %}<a href="{{ advisory.link }}">{{ advisory.name }}</a>{% elsif advisory.name contains "-SA-" %}<a href="{{ site.baseurl }}/security/{{ advisory.name | slugify	 | replace: '-', '_' }}.txt">{{ advisory.name }}</a>{% else %}{{ advisory.name }}{% endif %}</th>
-	    <th colspan="3">{% if advisory.affected_note %}{{ advisory.affected_note }}{% endif %}</th>
-	    <th>{% if advisory.git_commit %}<a href="https://github.com/irssi/{% if advisory.repo %}{{ advisory.repo }}{% else %}irssi{% endif %}/commit/{{ advisory.git_commit }}">{{ advisory.release_date }}</a>{% else %}{{ advisory.release_date }}{% endif %}</th>
-	    <th colspan="3"></th>
-	</tr>
-    </tbody>
-	<tbody>
-	{% for bug in advisory.bugs %}
-		<tr>
-		    <td rowspan="3"></td>
-		    <td rowspan="3" class="text-nowrap">
-			{% if bug.name %}
-			<div>{% if bug.link %}<a href="{{ bug.link }}">{{ bug.name }}</a>{% else %}{{ bug.name }}{% endif %}</div>
-			{% endif %}
-			{% if bug.cve %}
-			<div><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name={{ bug.cve }}">{{ bug.cve }}</a></div>
-			{% endif %}
-			{% for link in bug.external_links %}
-			<div><a href="{{ link.url }}">{{ link.id }}</a></div>
-			{% endfor %}
-		    </td>
-		    <td rowspan="3">{{ bug.exploitable_by }}</td>
-		    {% if bug.affected_note_top %}<td class="has-next-row" colspan="4">{{ bug.affected_note_top }}</td>{% else %}
-		    <td class="has-next-row">{% if bug.affected_versions.from %}{{ bug.affected_versions.from }}{% else %}*{% endif %}</td>
-		    <td class="has-next-row">{% if bug.affected_versions.to %}&ndash;{% endif %}</td>
-		    <td class="has-next-row">{{ bug.affected_versions.to }}</td>
-		    <td class="has-next-row">
-		      {% if bug.git_commit %}<a href="https://github.com/irssi/{% if bug.repo %}{{ bug.repo }}{% else %}irssi{% endif %}/commit/{{ bug.git_commit }}">{{ bug.fixed_version }}</a>{% else %}{{ bug.fixed_version }}{% endif %}
-		    </td>
-		    {% endif %}
-		    <td rowspan="3">{{ bug.credit }}</td>
-		    <td rowspan="3">{{ bug.description }}</td>
-		    <td rowspan="3"></td>
-		</tr>
-		<tr>
-		    {% if bug.affected_note_top %}
-		    <td class="has-next-row has-previous-row">{% if bug.affected_versions.from %}{{ bug.affected_versions.from }}{% else %}*{% endif %}</td>
-		    <td class="has-next-row has-previous-row">{% if bug.affected_versions.to %}&ndash;{% endif %}</td>
-		    <td class="has-next-row has-previous-row">{{ bug.affected_versions.to }}</td>
-		    <td class="has-next-row has-previous-row">
-		      {% if bug.git_commit %}<a href="https://github.com/irssi/{% if bug.repo %}{{ bug.repo }}{% else %}irssi{% endif %}/commit/{{ bug.git_commit }}">{{ bug.fixed_version }}</a>{% else %}{{ bug.fixed_version }}{% endif %}
-		    </td>
-		    {% else %}
-		    <td class="has-previous-row" colspan="3" rowspan="2">{% if bug.affected_note_bottom %}{{ bug.affected_note_bottom }}{% endif %}</td>
-		    <td class="has-previous-row" rowspan="2"></td>
-		    {% endif %}
-		</tr>
-		<tr>
-		    {% if bug.affected_note_top %}
-		    <td class="has-previous-row" colspan="3">{% if bug.affected_note_bottom %}{{ bug.affected_note_bottom }}{% endif %}</td>
-		    <td class="has-previous-row"></td>
-		    {% endif %}
-		</tr>
-	{% endfor %}
-	</tbody>
-{% endfor %}
-    </tbody>
-</table>
-
-<h2>Reference</h2>
-
-<p>"Exploitable by" column:</p>
-
-<ul>
-    <li>
-	<b>Server</b>: Triggered by malicious inputs sent by a server with complete control over the connection<br />
-	Example: malformed raw IRC commands
-    </li>
-    <li>
-	<b>Client</b>: Triggered by malicious inputs sent by remote clients with no privileges over the network<br />
-	Example: malformed color codes inside a message
-    </li>
-    <li>
-	<b>Local</b>: Exploitable by unprivileged system users with access to the same filesystem<br />
-	Example: CVE-2016-7553 (buf.pl information disclosure)
-    </li>
-    <li>
-	<b>Formats</b>: Exploitable through internal format codes used in themes and configs. These are not normally processed from the network but may be in combination with buggy scripts.<br />
-	Example: CVE-2017-5356 (Crash on <code>%[</code>)
-    </li>
-</ul>
diff --git a/security/irssi_sa_2016.txt b/security/irssi_sa_2016.txt
deleted file mode 100644
index 4b60040..0000000
--- a/security/irssi_sa_2016.txt
+++ /dev/null
@@ -1,101 +0,0 @@
-heap corruption and missing boundary checks
-===========================================
-CWE Classification: CWE-20, CWE-823, CWE-126, CWE-122
-
-CVE-2016-7044 [1] was assigned to bug 1
-CVE-2016-7045 [2] was assigned to bug 2
-
-
-Description
------------
-
-Gabriel Campana and Adrien Guinet from Quarkslab reported two remote
-crash and heap corruption vulnerabilites in Irssi's format parsing
-code.
-
-They also provided us with proof of concept exploit code and patches
-to fix those issues.
-
-
-Impact
-------
-
-Remote crash and heap corruption. Remote code execution seems
-difficult since only Nuls are written.
-
-
-Detailed analysis
------------------
-
-Based on analysis Provided by Gabriel Campana and Adrien Guinet from
-Quarkslab:
-
-Bug 1
-
-The unformat_24bit_color() function is called by format_send_to_gui()
-to decode 24bit color codes into their components. The pointer is
-advanced unconditionally without checking if a complete code was
-supplied.
-
-Thus, after the return of unformat_24bit_color(), ptr might be invalid
-and point out of the buffer.
-
-Bug 2
-
-The format_send_to_gui() function does not validate the length of the
-string before incrementing the `ptr' pointer in all cases.
-
-If that happens, the pointer `ptr' can be incremented twice and thus
-end past the boundaries of the original `dup' buffer.
-
-
-Affected versions
------------------
-
-Irssi 0.8.17-beta up to and including 0.8.19 up to 0.8.19-219-g52fedea
-
-Bug 1 affects only Irssis compiled with true-color enabled.
-Bug 2 affects all Irssis regardless of compilation flags.
-
-
-Fixed in
---------
-
-Irssi 0.8.20
-
-
-Recommended action
-------------------
-
-Upgrade to Irssi 0.8.20. Irssi 0.8.20 is a maintenance release
-without any new features.
-
-After installing the updated packages, one can issue the /upgrade
-command to load the new binary. TLS connections will require
-/reconnect.
-
-
-Fallback action
----------------
-
-Distributions which need to remain on Irssi 0.8.17 are strongly urged
-to apply the patch and provide updated packages.
-
-Those who cannot upgrade right now, but with Perl support enabled in
-their Irssi, can load the following script and add it to
-~/.irssi/scripts/autorun as a first aid to mitigating these issues: 
-
-https://irssi.org/security/sa_patch.pl
-
-
-Patch
------
-
-https://github.com/irssi/irssi/commit/295a4b77f07f14602eeaa371f00ddbf09910c82b
-
-
-References
-----------
-
-[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044
-[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045
diff --git a/security/irssi_sa_2017_01.txt b/security/irssi_sa_2017_01.txt
deleted file mode 100644
index df9adbb..0000000
--- a/security/irssi_sa_2017_01.txt
+++ /dev/null
@@ -1,187 +0,0 @@
-Multiple vulnerabilities in Irssi [1]
-=====================================
-CVE-2017-5193, CVE-2017-5194, CVE-2017-5356, CVE-2017-5195, CVE-2017-5196
-
-Description
------------
-
-Five vulnerabilities have been located in Irssi.
-
-(a) A NULL pointer dereference in the nickcmp function found by Joseph
-    Bisch. (CWE-690)
-
-    CVE-2017-5193 [2] was assigned to this bug
-
-(b) Use after free when receiving invalid nick message (Issue #466, CWE-416)
-
-    CVE-2017-5194 [3] was assigned to this bug
-
-(c) Out of bounds read when Printing the value %[
-    Found by Hanno Böck. (CWE-126)
-
-    CVE-2017-5356 [4] was assigned to this bug
-
-(d) Out of bounds read in certain incomplete control codes found by
-    Joseph Bisch. (CWE-126)
-
-    CVE-2017-5195 [5] was assigned to this bug
-
-(e) Out of bounds read in certain incomplete character sequences found
-    by Hanno Böck and independently by J. Bisch. (CWE-126)
-
-    CVE-2017-5196 [6] was assigned to this bug
-
-
-
-Impact
-------
-
-These issues may result in denial of service (remote crash).
-
-
-Affected versions
------------------
-
-(a) All Irssi versions that we observed
-(b) All Irssi versions that we observed
-(c) All Irssi versions that we observed
-(d) Irssi 0.8.17 and later
-(e) Irssi 0.8.18 and later
-
-
-Fixed in
---------
-
-Irssi 0.8.21, Irssi 1.0.0
-
-
-Recommended action
-------------------
-
-Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release
-without any new features.
-
-After installing the updated packages, one can issue the /upgrade
-command to load the new binary. TLS connections will require
-/reconnect.
-
-
-A Note to Distributors
-----------------------
-
-First of all, thanks to every maintainer for their awesome job in
-packaging Irssi and backporting security fixes.
-
-When we had to release a security advisory last year with Irssi
-0.8.20, we noticed there was a huge confusion amongst Ubuntu users
-about whether their Irssi version was safe to use.
-
-Since all our releases 0.8.18, 0.8.19, 0.8.20 and 0.8.21 have been bug
-fix only, we think distributions should just ship the release.
-
-But if the security fixes only are backported on top of an old
-version, we would like to urge distributions to consider indicating
-this in a way that is visible inside Irssi. One way to do this would
-be to manually overwrite the PACKAGE_VERSION and marking your package
-as patched. This can be done for example like this:
-
-  ./configure PACKAGE_VERSION=0.8.17-sa201701
-
-
-You can then check the version from inside Irssi with /eval echo $J
-
-As an added benefit over relying on dpkg, this will also correctly
-report whether you had /upgrade done or not. We are looking for a ways
-to make this easier to handle for both packagers and us, so if you
-have a good idea on this matter please speak forth.
-
-
-Mitigating facts
-----------------
-
-(a) requires control over the ircd
-
-(b) and (e) require control over the ircd or otherwise can be
-    triggered / avoided by the user themselves
-
-(c) can be triggered / avoided by the user themselves
-
-
-Patch
------
-
-https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d
-
-
-Discussion
-----------
-
-(a) CVE-2017-5193: A NULL pointer dereference in the nickcmp function
-    found by Joseph Bisch.
-
-    The irc_query_find function will call nick_comp_func in order to
-    retrieve an associated existing query.
-
-    However, the precondition whether nick was not NULL was not
-    verified, leading to incorrect API usage of the nick_comp_func and
-    ultimately NULL pointer dereference resulting in a crash whenever
-    the server produced such a message without nick.
-
-(b) CVE-2017-5194: Use after free when receiving invalid nick message.
-
-    Irssi is programmed to cancel the connection when the server
-    indicates an invalid nick during the registration phase (in the
-    event_nick_invalid function), because Irssi cannot recover from
-    this.
-
-    A complex (and still not properly fixed) chain of signal
-    dependencies emitted by the server_disconnect function, combined
-    with the lack of reference counting, leads to multiple use after
-    free issues when the server object has already been destroyed, but
-    there is currently no way to inform the surrounding code of this
-    fact.
-
-    As a mitigation, the server_disconnect function is no longer used
-    in this case and instead the clean-up is pushed to some upper
-    layer. Fixing this properly will still be a lot of work.
-
-(c) CVE-2017-5356: Out of bounds read when Printing the value %[
-    Found by Hanno Böck.
-
-    The formatting sequence %[...] can be used to execute the
-    timestamp and "line_start" commands on each printed line.
-
-    The scanner in format_expand_styles will expect it to read unto
-    the closing ], but in case the end of string has already been
-    reached while searching for the closing bracket, calling code is
-    not prepared to deal with this and may advance the char* beyond
-    end of string.
-
-(d) CVE-2017-5195: Out of bounds read in certain incomplete control
-    codes found by Joseph Bisch.
-
-    While parsing the ANSI x8 colour codes, Irssi in many cases failed
-    to check whether the end of string had already been reached,
-    resulting in this vulnerability.
-
-(e) CVE-2017-5196: Out of bounds read in certain incomplete character
-    sequences found by Hanno Böck and independently by J. Bisch.
-
-    When copying characters to the terminal screen in the term_addstr
-    function, the g_utf8_get_char function was used unconditionally
-    without verifying that the input string is proper utf8. As the
-    behaviour of that function is undefined for invalid input, it
-    would result in this invalid memory access. The correction is to
-    use the g_utf8_get_char_validated function instead.
-
-
-
-References
-----------
-
-[1] https://irssi.org/security/irssi_sa_2017_01.txt
-[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193
-[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194
-[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5356
-[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195
-[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196
diff --git a/security/irssi_sa_2017_03.txt b/security/irssi_sa_2017_03.txt
deleted file mode 100644
index d155884..0000000
--- a/security/irssi_sa_2017_03.txt
+++ /dev/null
@@ -1,57 +0,0 @@
-use after free condition during netjoin processing [1]
-======================================================
-CWE Classification: CWE-416
-
-
-CVE-2017-7191 [2] was assigned to this bug
-
-
-Description
------------
-
-Use after free while producing list of netjoins (CWE-416)
-
-This issue was found and reported to us by APic.
-
-
-Impact
-------
-
-This issue usually leads to segmentation faults. Targeted code
-execution should be difficult.
-
-
-Affected versions
------------------
-
-Irssi up to and including 1.0.1
-
-We believe Irssi 0.8.21 and prior are not affected since a different
-code path causes the netjoins to be flushed prior to reaching the use
-after free condition.
-
-
-Fixed in
---------
-
-Irssi 1.0.2
-
-
-Recommended action
-------------------
-
-Upgrade to Irssi 1.0.2. Irssi 1.0.2 is a maintenance release
-without any new features.
-
-
-Patch
------
-
-https://github.com/irssi/irssi/commit/77b2631c78461965bc9a7414aae206b5c514e1b3
-
-
-References
-----------
-
-[1] https://irssi.org/security/irssi_sa_2017_03.txt
-[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7191
diff --git a/security/irssi_sa_2017_06.txt b/security/irssi_sa_2017_06.txt
deleted file mode 100644
index 0d01f92..0000000
--- a/security/irssi_sa_2017_06.txt
+++ /dev/null
@@ -1,73 +0,0 @@
-IRSSI-SA-2017-06 Irssi Security Advisory [1]
-============================================
-CVE-2017-9468, CVE-2017-9469
-
-Description
------------
-
-Two vulnerabilities have been located in Irssi.
-
-(a) When receiving a DCC message without source nick/host, Irssi would
-    attempt to dereference a NULL pointer. Found by Joseph
-    Bisch. (CWE-690)
-
-    CVE-2017-9468 [2] was assigned to this bug
-
-(b) When receiving certain incorrectly quoted DCC files, Irssi would
-    try to find the terminating quote one byte before the allocated
-    memory. Found by Joseph Bisch. (CWE-129, CWE-127)
-    
-    CVE-2017-9469 [3] was assigned to this bug
-
-
-Impact
-------
-
-(a) May result in denial of service (remote crash).
-
-(b) May result in denial of service (remote crash), but in practice
-    this seems to be very unlikely unless address sanitizer is
-    enabled.
-
-
-Affected versions
------------------
-
-All Irssi versions that we observed.
-
-
-Fixed in
---------
-
-Irssi 1.0.3
-
-
-Recommended action
-------------------
-
-Upgrade to Irssi 1.0.3. Irssi 1.0.3 is a maintenance release in the
-1.0 series, without any new features.
-
-After installing the updated packages, one can issue the /upgrade
-command to load the new binary. TLS connections will require
-/reconnect.
-
-
-Mitigating facts
-----------------
-
-(a) requires control over the ircd
-
-
-Patch
------
-
-https://github.com/irssi/irssi/commit/fb08fc7f1aa6b2e616413d003bf021612301ad55
-
-
-References
-----------
-
-[1] https://irssi.org/security/irssi_sa_2017_06.txt
-[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9468
-[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9469
diff --git a/security/irssi_sa_2017_07.txt b/security/irssi_sa_2017_07.txt
deleted file mode 100644
index 90229ac..0000000
--- a/security/irssi_sa_2017_07.txt
+++ /dev/null
@@ -1,75 +0,0 @@
-IRSSI-SA-2017-07 Irssi Security Advisory [1]
-============================================
-CVE-2017-10965, CVE-2017-10966.
-
-Description
------------
-
-Two vulnerabilities have been located in Irssi.
-
-(a) When receiving messages with invalid time stamps, Irssi would try
-    to dereference a NULL pointer. Found by Brian 'geeknik' Carpenter
-    of Geeknik Labs. (CWE-690)
-
-    CVE-2017-10965 [2] was assigned to this bug
-
-(b) While updating the internal nick list, Irssi may incorrectly use
-    the GHashTable interface and free the nick while updating it. This
-    will then result in use-after-free conditions on each access of
-    the hash table. Found by Brian 'geeknik' Carpenter of Geeknik
-    Labs. (CWE-416 caused by CWE-227)
-
-    CVE-2017-10966 [3] was assigned to this bug
-
-
-Impact
-------
-
-(a) May result in denial of service (remote crash).
-
-(b) Undefined behaviour.
-
-
-Affected versions
------------------
-
-All Irssi versions that we observed.
-
-
-Fixed in
---------
-
-Irssi 1.0.4
-
-
-Recommended action
-------------------
-
-Upgrade to Irssi 1.0.4. Irssi 1.0.4 is a maintenance release in the
-1.0 series, without any new features.
-
-After installing the updated packages, one can issue the /upgrade
-command to load the new binary. TLS connections will require
-/reconnect.
-
-
-Mitigating facts
-----------------
-
-(a) requires control over the ircd
-
-(b) should not happen with a conforming ircd
-
-
-Patch
------
-
-https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291
-
-
-References
-----------
-
-[1] https://irssi.org/security/irssi_sa_2017_07.txt
-[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965
-[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966
diff --git a/security/irssi_sa_2017_10.txt b/security/irssi_sa_2017_10.txt
deleted file mode 100644
index ffca83c..0000000
--- a/security/irssi_sa_2017_10.txt
+++ /dev/null
@@ -1,94 +0,0 @@
-IRSSI-SA-2017-10 Irssi Security Advisory [1]
-============================================
-CVE-2017-15228, CVE-2017-15227, CVE-2017-15721, CVE-2017-15723,
-CVE-2017-15722
-
-Description
------------
-
-Multiple vulnerabilities have been located in Irssi.
-
-(a) When installing themes with unterminated colour formatting
-    sequences, Irssi may access data beyond the end of the
-    string. (CWE-126) Found by Hanno Böck.
-
-    CVE-2017-15228 was assigned to this issue.
-
-(b) While waiting for the channel synchronisation, Irssi may
-    incorrectly fail to remove destroyed channels from the query list,
-    resulting in use after free conditions when updating the state
-    later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672)
-
-    CVE-2017-15227 was assigned to this issue.
-
-(c) Certain incorrectly formatted DCC CTCP messages could cause NULL
-    pointer dereference. Found by Joseph Bisch. This is a separate,
-    but similar issue to CVE-2017-9468. (CWE-690)
-
-    CVE-2017-15721 was assigned to this issue.
-
-(d) Overlong nicks or targets may result in a NULL pointer dereference
-    while splitting the message. Found by Joseph Bisch. (CWE-690)
-
-    CVE-2017-15723 was assigned to this issue.
-
-(e) In certain cases Irssi may fail to verify that a Safe channel ID
-    is long enough, causing reads beyond the end of the string. Found
-    by Joseph Bisch. (CWE-126)
-
-    CVE-2017-15722 was assigned to this issue.
-
-
-Impact
-------
-
-(a,b,c,d) May result in denial of service (remote crash).
-
-(e) May affect the stability of Irssi.
-
-
-Affected versions
------------------
-
-(a,b,c,e) All Irssi versions that we observed.
-
-(d) Starting from 0.8.17.
-
-
-Fixed in
---------
-
-Irssi 1.0.5
-
-
-Recommended action
-------------------
-
-Upgrade to Irssi 1.0.5. Irssi 1.0.5 is a maintenance release in the
-1.0 series, without any new features.
-
-After installing the updated packages, one can issue the /upgrade
-command to load the new binary. TLS connections will require
-/reconnect.
-
-
-Mitigating facts
-----------------
-
-(a) requires user to install malicious or broken theme file
-
-(b,c,e) requires a broken ircd or control over the ircd
-
-(d) irc servers typically have length limits in place
-
-
-Patch
------
-
-https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1
-
-
-References
-----------
-
-[1] https://irssi.org/security/irssi_sa_2017_10.txt
diff --git a/security/irssi_sa_2018_01.txt b/security/irssi_sa_2018_01.txt
deleted file mode 100644
index a9a3686..0000000
--- a/security/irssi_sa_2018_01.txt
+++ /dev/null
@@ -1,78 +0,0 @@
-IRSSI-SA-2018-01 Irssi Security Advisory [1]
-============================================
-CVE-2018-5206, CVE-2018-5205, CVE-2018-5208, CVE-2018-5207
-
-Description
------------
-
-Multiple vulnerabilities have been located in Irssi.
-
-(a) When the channel topic is set without specifying a sender, Irssi
-    may dereference NULL pointer. Found by Joseph Bisch. (CWE-476)
-
-    CVE-2018-5206 was assigned to this issue.
-
-(b) When using incomplete escape codes, Irssi may access data beyond
-    the end of the string. (CWE-126) Found by Joseph Bisch.
-
-    CVE-2018-5205 was assigned to this issue.
-
-(c) A calculation error in the completion code could cause a heap
-    buffer overflow when completing certain strings. (CWE-126) Found
-    by Joseph Bisch.
-
-    CVE-2018-5208 was assigned to this issue.
-
-(d) When using an incomplete variable argument, Irssi may access data
-    beyond the end of the string. (CWE-126) Found by Joseph Bisch.
-
-    CVE-2018-5207 was assigned to this issue.
-
-
-Impact
-------
-
-May affect the stability of Irssi.
-
-
-Affected versions
------------------
-
-(a,b,c,d) All Irssi versions that we observed.
-
-
-Fixed in
---------
-
-Irssi 1.0.6
-
-
-Recommended action
-------------------
-
-Upgrade to Irssi 1.0.6. Irssi 1.0.6 is a maintenance release in the
-1.0 series, without any new features.
-
-After installing the updated packages, one can issue the /upgrade
-command to load the new binary. TLS connections will require
-/reconnect.
-
-
-Mitigating facts
-----------------
-
-(a) requires a broken ircd or control over the ircd
-
-(b,d) requires user to install malicious or broken files or enter
-      affected commands
-
-
-Patch
------
-https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff
-
-
-References
-----------
-
-[1] https://irssi.org/security/irssi_sa_2018_01.txt
diff --git a/security/sa_patch.pl b/security/sa_patch.pl
deleted file mode 100644
index 95c80b4..0000000
--- a/security/sa_patch.pl
+++ /dev/null
@@ -1,2 +0,0 @@
-Irssi::signal_add_first("print text", sub {
-  for ($_[1]) { $_ .= '     ' if /\cD(?!.....)/s } &Irssi::signal_continue })