diff options
| -rw-r--r-- | _data/sb_whatsnew.yml | 6 | ||||
| -rw-r--r-- | _posts/2017-06-06-irssi-1.0.3-released.markdown | 26 | ||||
| -rw-r--r-- | download/index.markdown | 2 | ||||
| -rw-r--r-- | security/irssi_sa_2017_06.txt | 66 |
4 files changed, 96 insertions, 4 deletions
diff --git a/_data/sb_whatsnew.yml b/_data/sb_whatsnew.yml index d8aca34..e83f52f 100644 --- a/_data/sb_whatsnew.yml +++ b/_data/sb_whatsnew.yml @@ -1,4 +1,7 @@ - + key: irssi-1.0.3-released + tag: Security +- key: fuzzing-irssi title: Introduction to fuzzing Irssi - @@ -9,7 +12,4 @@ key: poll-non-utf8-discontinuation tag: Poll title: Non-UTF-8 discontinuation -- - key: irssi-1.0.2-released - tag: Security diff --git a/_posts/2017-06-06-irssi-1.0.3-released.markdown b/_posts/2017-06-06-irssi-1.0.3-released.markdown new file mode 100644 index 0000000..e635855 --- /dev/null +++ b/_posts/2017-06-06-irssi-1.0.3-released.markdown @@ -0,0 +1,26 @@ +--- +layout: post +title: "Irssi 1.0.3 Released" +--- + +Irssi 1.0.3 has been released. This release fixes two remote crash issue +in Irssi as well as a few bug fixes, the most notable that TLS can now be disabled from within the text-UI. There are no new features. **All Irssi users should upgrade to this version**. See the +[NEWS](//raw.githubusercontent.com/irssi/irssi/1.0.3/NEWS) for +details. + +This release can be downloaded from [our releases +page](https://github.com/irssi/irssi/releases). Binary test packages +for various Linux distributions are automatically generated by the +[openSUSE Build Service](https://build.opensuse.org/) and are +available for download in the +[irssi-test](https://software.opensuse.org/download.html?project=home:ailin_nemui:irssi-test;package=irssi) +repository. + +Please check with your distro whether they provide officially updated +packages. + +Read the [security advisory](/security/irssi_sa_2017_06.txt). + +We currently do not have any alternate advice. + +The Irssi Team. diff --git a/download/index.markdown b/download/index.markdown index d9c87cf..c26da4d 100644 --- a/download/index.markdown +++ b/download/index.markdown @@ -3,7 +3,7 @@ layout: page title: Getting Irssi permalink: /download/ categories: [ _nav, _6 ] -version: 1.0.2 +version: 1.0.3 --- There are several ways you can get Irssi<span class="hidden-md hidden-lg">:</span> diff --git a/security/irssi_sa_2017_06.txt b/security/irssi_sa_2017_06.txt new file mode 100644 index 0000000..5f0cfd8 --- /dev/null +++ b/security/irssi_sa_2017_06.txt @@ -0,0 +1,66 @@ +IRSSI-SA-2017-06 Irssi Security Advisory [1] +============================================ + +Description +----------- + +Two vulnerabilities have been located in Irssi. + +(a) When receiving a DCC message without source nick/host, Irssi would + attempt to dereference a NULL pointer. Found by Joseph + Bisch. (CWE-690) + +(b) When receiving certain incorrectly quoted DCC files, Irssi would + try to find the terminating quote outside of allocated + memory. Found by Joseph Bisch. (CWE-129, CWE-127) + + +Impact +------ + +(a) May result in denial of service (remote crash). + +(b) May result in denial of service (remote crash), but in practice + this seems to be very unlikely unless address sanitizer is + enabled. + + +Affected versions +----------------- + +All Irssi versions that we observed. + + +Fixed in +-------- + +Irssi 1.0.3 + + +Recommended action +------------------ + +Upgrade to Irssi 1.0.3. Irssi 1.0.3 is a maintenance release in the +1.0 series, without any new features. + +After installing the updated packages, one can issue the /upgrade +command to load the new binary. TLS connections will require +/reconnect. + + +Mitigating facts +---------------- + +(a) requires control over the ircd + + +Patch +----- + +https://github.com/irssi/irssi/commit/fb08fc7f1aa6b2e616413d003bf021612301ad55 + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2017_06.txt |