summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--_includes/sb_whatsnew.html2
-rw-r--r--_posts/2017-03-11-irssi-1.0.2-released.markdown42
-rw-r--r--download/index.markdown2
-rw-r--r--security/irssi_sa_2017_01.txt2
-rw-r--r--security/irssi_sa_2017_03.txt56
5 files changed, 101 insertions, 3 deletions
diff --git a/_includes/sb_whatsnew.html b/_includes/sb_whatsnew.html
index 7e6b3dd..cc46ee6 100644
--- a/_includes/sb_whatsnew.html
+++ b/_includes/sb_whatsnew.html
@@ -1,3 +1,3 @@
-<p><small>2017-02-05</small> <a href="/2017/02/05/irssi-1.0.1-released">Irssi 1.0.1 released!</a> </p>
+<p><small>2017-03-11</small> <a href="/2017/03/11/irssi-1.0.2-released"><b>Security</b> Irssi 1.0.2 released!</a> </p>
<p><small>2017-01-05</small> <a href="/2017/01/05/irssi-0.8.21-released"><b>Security</b> Irssi 0.8.21 released!</a> </p>
<p><small>2015-12-15</small> <a href="/2015/12/14/irssi-website-now-on-github-pages">Irssi site now on github pages!</a> </p>
diff --git a/_posts/2017-03-11-irssi-1.0.2-released.markdown b/_posts/2017-03-11-irssi-1.0.2-released.markdown
new file mode 100644
index 0000000..a2c9bbe
--- /dev/null
+++ b/_posts/2017-03-11-irssi-1.0.2-released.markdown
@@ -0,0 +1,42 @@
+---
+layout: post
+title: "Irssi 1.0.2 Released"
+---
+
+Irssi 1.0.2 has been released. This release fixes a remote crash issue
+in Irssi 1.0 as well as a few bug fixes, the most notable a regression
+that broke incoming DCC file transfers. There are no new
+features. **All Irssi 1.0 users should upgrade to this version**. See the
+[NEWS](//raw.githubusercontent.com/irssi/irssi/1.0.2/NEWS) for
+details.
+
+Furthermore, we need to emphasise that in Irssi 1.0 up to and
+including 1.0.2, GRegex is [not UTF-8
+compliant](https://github.com/irssi/irssi/issues/636). Enabling UTF-8
+in GRegex while receiving arbitrary messages (i.e. invalid UTF-8, as
+happens frequently on IRC) would lead to memory issues and crashes,
+therefore it is currently operating in byte mode. You can either
+choose to revert to your system provided regex engine using
+`--disable-gregex` at ./configure time and hope that it does whatever
+you need, or join the discussion on issue #636 for how to best solve
+this problem, or apply the
+[patch](https://github.com/irssi/irssi/pull/653.patch) from PR#653 if
+you need proper Unicode-aware regexen in `/hilight` and `/ignore` as
+an intermediate solution.
+
+This release can be downloaded from [our releases
+page](https://github.com/irssi/irssi/releases). Binary test packages
+for various Linux distributions are automatically generated by the
+[openSUSE Build Service](https://build.opensuse.org/) and are
+available for download in the
+[irssi-test](https://software.opensuse.org/download.html?project=home:ailin_nemui:irssi-test;package=irssi)
+repository.
+
+Please check with your distro whether they provide officially updated
+packages.
+
+Read the [security advisory](/security/irssi_sa_2017_03.txt).
+
+We currently do not have any alternate advice.
+
+The Irssi Team.
diff --git a/download/index.markdown b/download/index.markdown
index ef7d934..f65d315 100644
--- a/download/index.markdown
+++ b/download/index.markdown
@@ -3,7 +3,7 @@ layout: page
title: Getting Irssi
permalink: /download/
categories: [ _nav, _6 ]
-version: 1.0.1
+version: 1.0.2
---
There are several ways you can get Irssi<span class="hidden-md hidden-lg">:</span>
diff --git a/security/irssi_sa_2017_01.txt b/security/irssi_sa_2017_01.txt
index 195ec99..df9adbb 100644
--- a/security/irssi_sa_2017_01.txt
+++ b/security/irssi_sa_2017_01.txt
@@ -12,7 +12,7 @@ Five vulnerabilities have been located in Irssi.
CVE-2017-5193 [2] was assigned to this bug
-(b) Use after free when receiving invalid nick message (Issue #466, CWE-146)
+(b) Use after free when receiving invalid nick message (Issue #466, CWE-416)
CVE-2017-5194 [3] was assigned to this bug
diff --git a/security/irssi_sa_2017_03.txt b/security/irssi_sa_2017_03.txt
new file mode 100644
index 0000000..936aec6
--- /dev/null
+++ b/security/irssi_sa_2017_03.txt
@@ -0,0 +1,56 @@
+use after free condition during netjoin processing [1]
+======================================================
+CWE Classification: CWE-416
+
+
+CVE-2017-xxxx [2] will be updated once cve assigned.
+
+
+Description
+-----------
+
+Use after free while producing list of netjoins (CWE-416)
+
+This issue was found and reported to us by APic.
+
+
+Impact
+------
+
+This issue usually leads to segmentation faults. Targeted code
+execution should be difficult.
+
+
+Affected versions
+-----------------
+
+Irssi up to and including 1.0.1
+
+We believe Irssi 0.8.21 and prior are not affected since a different
+code path causes the netjoins to be flushed prior to reaching the use
+after free condition.
+
+
+Fixed in
+--------
+
+Irssi 1.0.2
+
+
+Recommended action
+------------------
+
+Upgrade to Irssi 1.0.2. Irssi 1.0.2 is a maintenance release
+without any new features.
+
+
+Patch
+-----
+
+https://github.com/irssi/irssi/commit/77b2631c78461965bc9a7414aae206b5c514e1b3
+
+
+References
+----------
+
+[1] https://irssi.org/security/irssi_sa_2017_03.txt