diff options
| -rw-r--r-- | _data/security.yml | 203 | ||||
| -rw-r--r-- | assets/css/style.css | 17 | ||||
| -rw-r--r-- | security/index.html | 79 |
3 files changed, 144 insertions, 155 deletions
diff --git a/_data/security.yml b/_data/security.yml index d4352b8..64d5c64 100644 --- a/_data/security.yml +++ b/_data/security.yml @@ -1,151 +1,106 @@ -- name: IRSSI-SA-2016 +--- +- + name: IRSSI-SA-2016 release_date: 2016-09-14 git_commit: 295a4b77f07f14602eeaa371f00ddbf09910c82b bugs: - - name: CVE-2016-7044 - external_links: - - id: CVE-2016-7044 - url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044 - - id: IRSSI-SA-2016 - url: https://irssi.org/security/irssi_sa_2016.txt + - + cve: CVE-2016-7044 exploitable_by: client - affected_versions: 0.8.17-0.8.19 (with truecolor) + affected_versions: + from: 0.8.17 + to: 0.8.19 + affected_note_bottom: '(with truecolor)' fixed_version: 0.8.20 - release_date: 2016-09-14 - git_commit: 295a4b77f07f14602eeaa371f00ddbf09910c82b - credit: Gabriel Campana and Adrien Guinet from Quarkslab - description: | - Remote crash and heap corruption in format parsing code - - - name: CVE-2016-7045 - external_links: - - id: CVE-2016-7045 - url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045 - - id: IRSSI-SA-2016 - url: https://irssi.org/security/irssi_sa_2016.txt + credit: 'Gabriel Campana and Adrien Guinet from Quarkslab' + description: 'Remote crash and heap corruption in format parsing code' + - + cve: CVE-2016-7045 exploitable_by: client - affected_versions: 0.8.17-0.8.19 + affected_versions: + from: 0.8.17 + to: 0.8.19 fixed_version: 0.8.20 - release_date: 2016-09-14 - git_commit: 295a4b77f07f14602eeaa371f00ddbf09910c82b - credit: Gabriel Campana and Adrien Guinet from Quarkslab - description: | - Remote crash and heap corruption in format parsing code - -- name: BUF-PL-SA-2016 + credit: 'Gabriel Campana and Adrien Guinet from Quarkslab' + description: 'Remote crash and heap corruption in format parsing code' +- + name: BUF-PL-SA-2016 + affected_note: buf.pl release_date: 2016-09-09 git_commit: f1b1eb154baa684fad5d65bf4dff79c8ded8b65a + repo: scripts.irssi.org bugs: - - name: CVE-2016-7553 - external_links: - - id: CVE-2016-7553 - url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7553 - - id: BUF-PL-SA-2016 - url: https://irssi.org/security/buf_pl_sa_2016.txt - exploitable_by: local users - affected_versions: "buf.pl *-2.13" - fixed_version: buf.pl 2.20 - release_date: 2016-09-09 - repo: scripts.irssi.org - git_commit: f1b1eb154baa684fad5d65bf4dff79c8ded8b65a - credit: Juerd Waalboer - description: | - Information disclosure vulnerability - -- name: IRSSI-SA-2017-01 + - + cve: CVE-2016-7553 + exploitable_by: local + affected_versions: + from: '*' + to: '2.13' + fixed_version: '2.20' + credit: 'Juerd Waalboer' + description: 'Information disclosure vulnerability' +- + name: IRSSI-SA-2017-01 release_date: 2017-01-05 git_commit: 6c6c42e3d1b49d90aacc0b67f8540471cae02a1d bugs: - - name: CVE-2017-5193 - external_links: - - id: CVE-2017-5193 - url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5193 - - id: IRSSI-SA-2017-01 - url: https://irssi.org/security/irssi_sa_2017_01.txt + - + cve: CVE-2017-5193 exploitable_by: server - affected_versions: "*-0.8.20" + affected_versions: + from: '*' + to: 0.8.20 fixed_version: 0.8.21 - release_date: 2017-01-05 - git_commit: 6c6c42e3d1b49d90aacc0b67f8540471cae02a1d - credit: Joseph Bisch - description: | - NULL pointer dereference in the nickcmp function - - - name: CVE-2017-5194 - external_links: - - id: CVE-2017-5194 - url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5194 - - id: IRSSI-SA-2017-01 - url: https://irssi.org/security/irssi_sa_2017_01.txt + credit: 'Joseph Bisch' + description: 'NULL pointer dereference in the nickcmp function' + - + cve: CVE-2017-5194 exploitable_by: server - affected_versions: "*-0.8.20" + affected_versions: + from: '*' + to: 0.8.20 fixed_version: 0.8.21 - release_date: 2017-01-05 - git_commit: 6c6c42e3d1b49d90aacc0b67f8540471cae02a1d - credit: - description: | - Use after free when receiving invalid nick message - - - name: CVE-2017-5195 - external_links: - - id: CVE-2017-5195 - url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5195 - - id: IRSSI-SA-2017-01 - url: https://irssi.org/security/irssi_sa_2017_01.txt + credit: ~ + description: "Use after free when receiving invalid nick message\n" + - + cve: CVE-2017-5356 + exploitable_by: formats + affected_versions: + from: '*' + to: 0.8.20 + fixed_version: 0.8.21 + credit: 'Hanno Böck' + description: 'Out of bounds read when printing the value %[' + - + cve: CVE-2017-5195 exploitable_by: client - affected_versions: 0.8.17-0.8.20 + affected_versions: + from: 0.8.17 + to: 0.8.20 fixed_version: 0.8.21 - release_date: 2017-01-05 - git_commit: 6c6c42e3d1b49d90aacc0b67f8540471cae02a1d - credit: Joseph Bisch - description: | - Out of bounds read in certain incomplete control codes - - - name: CVE-2017-5196 - external_links: - - id: CVE-2017-5196 - url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5196 - - id: IRSSI-SA-2017-01 - url: https://irssi.org/security/irssi_sa_2017_01.txt + credit: 'Joseph Bisch' + description: 'Out of bounds read in certain incomplete control codes' + - + cve: CVE-2017-5196 exploitable_by: server - affected_versions: 0.8.18-0.8.20 - fixed_version: 0.8.21 - release_date: 2017-01-05 - git_commit: 6c6c42e3d1b49d90aacc0b67f8540471cae02a1d - credit: Hanno Böck and independently by Joseph Bisch - description: | - Out of bounds read in certain incomplete character sequences - - - name: CVE-2017-5356 - external_links: - - id: CVE-2017-5356 - url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5356 - - id: IRSSI-SA-2017-01 - url: https://irssi.org/security/irssi_sa_2017_01.txt - exploitable_by: local formats - affected_versions: "*-0.8.20" + affected_versions: + from: 0.8.18 + to: 0.8.20 fixed_version: 0.8.21 - release_date: 2017-01-05 - git_commit: 6c6c42e3d1b49d90aacc0b67f8540471cae02a1d - credit: Hanno Böck - description: | - Out of bounds read when printing the value %[ - -- name: IRSSI-SA-2017-03 + credit: 'Hanno Böck and independently by Joseph Bisch' + description: "Out of bounds read in certain incomplete character sequences\n" +- + name: IRSSI-SA-2017-03 release_date: 2017-03-10 git_commit: 77b2631c78461965bc9a7414aae206b5c514e1b3 bugs: - - name: CVE-2017-7191 - external_links: - - id: CVE-2017-7191 - url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7191 - - id: IRSSI-SA-2017-03 - url: https://irssi.org/security/irssi_sa_2017_03.txt + - + cve: CVE-2017-7191 exploitable_by: server - affected_versions: "1.0.0-1.0.1" + important: True + affected_versions: + from: 1.0.0 + to: 1.0.1 fixed_version: 1.0.2 - release_date: 2017-03-10 - git_commit: 77b2631c78461965bc9a7414aae206b5c514e1b3 credit: APic - description: | - Use after free while producing list of netjoins + description: "Use after free while producing list of netjoins\n" diff --git a/assets/css/style.css b/assets/css/style.css index f856829..745136f 100644 --- a/assets/css/style.css +++ b/assets/css/style.css @@ -128,6 +128,23 @@ a[rel="external"]:after,a.rel-external:after { font-size: 51%; } +a.link-icon:after { + position: absolute; + font-family: 'Glyphicons Halflings'; + content: "\e164"; /* glyphicon-new-window */ +} + +.table td.has-next-row, +.table th.has-next-row { + padding-top: 4px; + padding-bottom: 0; +} + +.table td.has-previous-row { + border-top: 0; + padding-top: 0; +} + .navbar-nav a[rel="external"]:after { font-size: 100%; } diff --git a/security/index.html b/security/index.html index dd66378..b1af350 100644 --- a/security/index.html +++ b/security/index.html @@ -1,53 +1,70 @@ --- layout: page title: Security -permalink: /security/ +permalink: security/ categories: [ _nav ] --- <table class="table"> <thead> - <tr class="text-nowrap"> - <th>Links</th> - <th>Exploitable by</th> - <th>Affected versions</th> - <th>Fixed in version</th> + <tr class="text-nowrap"> + <th colspan="2">Links</th> + <th>Exploitable</th> + <th colspan="3">Versions affected</th> + <th>Fixed</th> <th>Release date</th> <th>Git commit</th> <th>Credit</th> - <th>Description</th> - </tr> + <th colspan="2">Description</th> + </tr> </thead> - <tbody> {% assign advisories = site.data.security %} {% for advisory in advisories reversed %} + <tbody> <tr> - <td>{{ advisory.name }}</td> - <td></td> - <td></td> - <td></td> - <td>{{ advisory.release_date }}</td> - <td><a href="https://github.com/irssi/{% if advisory.repo %}{{ advisory.repo }}{% else %}irssi{% endif %}/commit/{{ advisory.git_commit }}">{{ advisory.git_commit | truncate: 8, "" }}</a></td> - <td></td> - <td></td> + <th colspan="3">{% if advisory.link %}<a href="{{ advisory.link }}">{{ advisory.name }}</a>{% elsif advisory.name contains "-SA-" %}<a href="{{ site.baseurl }}/security/{{ advisory.name | slugify | replace: '-', '_' }}.txt">{{ advisory.name }}</a>{% else %}{{ advisory.name }}{% endif %}</th> + <th colspan="4">{% if advisory.affected_note %}{{ advisory.affected_note }}{% endif %}</th> + <th>{{ advisory.release_date }}</th> + <th>{% if advisory.git_commit %}<a class="link-icon" href="https://github.com/irssi/{% if advisory.repo %}{{ advisory.repo }}{% else %}irssi{% endif %}/commit/{{ advisory.git_commit }}"> </a>{% endif %}</th> + <th colspan="3"></th> </tr> + </tbody> + <tbody> {% for bug in advisory.bugs %} - <tr> - <td class="text-nowrap"> - {% for link in bug.external_links %} + <tr{% if bug.important %} class="warning"{% endif %}> + <td rowspan="3"></td> + <td rowspan="3" class="text-nowrap"> + {% if bug.name %} + <div>{% if bug.link %}<a href="{{ bug.link }}">{{ bug.name }}</a>{% else %}{{ bug.name }}{% endif %}</div> + {% endif %} + {% if bug.cve %} + <div><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name={{ bug.cve }}">{{ bug.cve }}</a></div> + {% endif %} + {% for link in bug.external_links %} <div><a href="{{ link.url }}">{{ link.id }}</a></div> - {% endfor %} + {% endfor %} </td> - <td>{{ bug.exploitable_by }}</td> - <td>{{ bug.affected_versions }}</td> - <td> + <td rowspan="3">{{ bug.exploitable_by }}</td> + <td class="has-next-row" colspan="4">{% if bug.affected_note_top %}{{ bug.affected_note_top }}{% endif %}</td> + <td rowspan="3">{% comment %} release date {% endcomment %}</td> + <td rowspan="3">{% if bug.git_commit %}<a class="link-icon" href="https://github.com/irssi/{% if bug.repo %}{{ bug.repo }}{% else %}irssi{% endif %}/commit/{{ bug.git_commit }}"> </a>{% endif %}</td> + <td rowspan="3">{{ bug.credit }}</td> + <td rowspan="3">{{ bug.description }}</td> + <td rowspan="3"></td> + </tr> + <tr{% if bug.important %} class="warning"{% endif %}> + <td class="has-next-row has-previous-row">{{ bug.affected_versions.from }}</td> + <td class="has-next-row has-previous-row">–</td> + <td class="has-next-row has-previous-row">{{ bug.affected_versions.to }}</td> + <td class="has-next-row has-previous-row"> {{ bug.fixed_version }} </td> - <td></td> - <td></td> - <td>{{ bug.credit }}</td> - <td>{{ bug.description }}</td> - </tr> + </tr> + <tr{% if bug.important %} class="warning"{% endif %}> + <td class="has-previous-row" colspan="3">{% if bug.affected_note_bottom %}{{ bug.affected_note_bottom }}{% endif %}</td> + <td class="has-previous-row"></td> + </tr> {% endfor %} + </tbody> {% endfor %} </tbody> </table> @@ -66,11 +83,11 @@ categories: [ _nav ] Example: malformed color codes inside a message </li> <li> - <b>Local users</b>: Exploitable by unprivileged system users with access to the same filesystem<br /> + <b>Local</b>: Exploitable by unprivileged system users with access to the same filesystem<br /> Example: CVE-2016-7553 (buf.pl information disclosure) </li> <li> - <b>Local formats</b>: Exploitable through internal format codes used in themes and configs. These are not normally processed from the network but may be in combination with buggy scripts.<br /> + <b>Formats</b>: Exploitable through internal format codes used in themes and configs. These are not normally processed from the network but may be in combination with buggy scripts.<br /> Example: CVE-2017-5356 (Crash on <code>%[</code>) </li> </ul> |