diff options
| -rw-r--r-- | _includes/sb_whatsnew.html | 2 | ||||
| -rw-r--r-- | _posts/2017-03-11-irssi-1.0.2-released.markdown | 42 | ||||
| -rw-r--r-- | download/index.markdown | 2 | ||||
| -rw-r--r-- | security/irssi_sa_2017_01.txt | 2 | ||||
| -rw-r--r-- | security/irssi_sa_2017_03.txt | 56 |
5 files changed, 101 insertions, 3 deletions
diff --git a/_includes/sb_whatsnew.html b/_includes/sb_whatsnew.html index 7e6b3dd..cc46ee6 100644 --- a/_includes/sb_whatsnew.html +++ b/_includes/sb_whatsnew.html @@ -1,3 +1,3 @@ -<p><small>2017-02-05</small> <a href="/2017/02/05/irssi-1.0.1-released">Irssi 1.0.1 released!</a> </p> +<p><small>2017-03-11</small> <a href="/2017/03/11/irssi-1.0.2-released"><b>Security</b> Irssi 1.0.2 released!</a> </p> <p><small>2017-01-05</small> <a href="/2017/01/05/irssi-0.8.21-released"><b>Security</b> Irssi 0.8.21 released!</a> </p> <p><small>2015-12-15</small> <a href="/2015/12/14/irssi-website-now-on-github-pages">Irssi site now on github pages!</a> </p> diff --git a/_posts/2017-03-11-irssi-1.0.2-released.markdown b/_posts/2017-03-11-irssi-1.0.2-released.markdown new file mode 100644 index 0000000..a2c9bbe --- /dev/null +++ b/_posts/2017-03-11-irssi-1.0.2-released.markdown @@ -0,0 +1,42 @@ +--- +layout: post +title: "Irssi 1.0.2 Released" +--- + +Irssi 1.0.2 has been released. This release fixes a remote crash issue +in Irssi 1.0 as well as a few bug fixes, the most notable a regression +that broke incoming DCC file transfers. There are no new +features. **All Irssi 1.0 users should upgrade to this version**. See the +[NEWS](//raw.githubusercontent.com/irssi/irssi/1.0.2/NEWS) for +details. + +Furthermore, we need to emphasise that in Irssi 1.0 up to and +including 1.0.2, GRegex is [not UTF-8 +compliant](https://github.com/irssi/irssi/issues/636). Enabling UTF-8 +in GRegex while receiving arbitrary messages (i.e. invalid UTF-8, as +happens frequently on IRC) would lead to memory issues and crashes, +therefore it is currently operating in byte mode. You can either +choose to revert to your system provided regex engine using +`--disable-gregex` at ./configure time and hope that it does whatever +you need, or join the discussion on issue #636 for how to best solve +this problem, or apply the +[patch](https://github.com/irssi/irssi/pull/653.patch) from PR#653 if +you need proper Unicode-aware regexen in `/hilight` and `/ignore` as +an intermediate solution. + +This release can be downloaded from [our releases +page](https://github.com/irssi/irssi/releases). Binary test packages +for various Linux distributions are automatically generated by the +[openSUSE Build Service](https://build.opensuse.org/) and are +available for download in the +[irssi-test](https://software.opensuse.org/download.html?project=home:ailin_nemui:irssi-test;package=irssi) +repository. + +Please check with your distro whether they provide officially updated +packages. + +Read the [security advisory](/security/irssi_sa_2017_03.txt). + +We currently do not have any alternate advice. + +The Irssi Team. diff --git a/download/index.markdown b/download/index.markdown index ef7d934..f65d315 100644 --- a/download/index.markdown +++ b/download/index.markdown @@ -3,7 +3,7 @@ layout: page title: Getting Irssi permalink: /download/ categories: [ _nav, _6 ] -version: 1.0.1 +version: 1.0.2 --- There are several ways you can get Irssi<span class="hidden-md hidden-lg">:</span> diff --git a/security/irssi_sa_2017_01.txt b/security/irssi_sa_2017_01.txt index 195ec99..df9adbb 100644 --- a/security/irssi_sa_2017_01.txt +++ b/security/irssi_sa_2017_01.txt @@ -12,7 +12,7 @@ Five vulnerabilities have been located in Irssi. CVE-2017-5193 [2] was assigned to this bug -(b) Use after free when receiving invalid nick message (Issue #466, CWE-146) +(b) Use after free when receiving invalid nick message (Issue #466, CWE-416) CVE-2017-5194 [3] was assigned to this bug diff --git a/security/irssi_sa_2017_03.txt b/security/irssi_sa_2017_03.txt new file mode 100644 index 0000000..936aec6 --- /dev/null +++ b/security/irssi_sa_2017_03.txt @@ -0,0 +1,56 @@ +use after free condition during netjoin processing [1] +====================================================== +CWE Classification: CWE-416 + + +CVE-2017-xxxx [2] will be updated once cve assigned. + + +Description +----------- + +Use after free while producing list of netjoins (CWE-416) + +This issue was found and reported to us by APic. + + +Impact +------ + +This issue usually leads to segmentation faults. Targeted code +execution should be difficult. + + +Affected versions +----------------- + +Irssi up to and including 1.0.1 + +We believe Irssi 0.8.21 and prior are not affected since a different +code path causes the netjoins to be flushed prior to reaching the use +after free condition. + + +Fixed in +-------- + +Irssi 1.0.2 + + +Recommended action +------------------ + +Upgrade to Irssi 1.0.2. Irssi 1.0.2 is a maintenance release +without any new features. + + +Patch +----- + +https://github.com/irssi/irssi/commit/77b2631c78461965bc9a7414aae206b5c514e1b3 + + +References +---------- + +[1] https://irssi.org/security/irssi_sa_2017_03.txt |