1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
---
name: IRSSI-SA-2018-02
release_date: 2018-02-17
bugs:
-
cve: CVE-2018-7054
cwe: CWE-416, CWE-825
exploitable_by: remote
affected_versions:
from: 1.0.0
to: [ 1.0.6, 1.1.0 ]
fixed_version: [ 1.0.7, 1.1.1 ]
credit: 'Joseph Bisch'
description: Use after free when server is disconnected during netsplits. Incomplete fix of CVE-2017-7191.
-
cve: CVE-2018-7053
cwe: CWE-416, CWE-691
exploitable_by: server
affected_versions:
from: 0.8.18
to: [ 1.0.6, 1.1.0 ]
fixed_version: [ 1.0.7, 1.1.1 ]
credit: 'Joseph Bisch'
description: Use after free when SASL messages are received in unexpected order.
mitigating_info: requires a non-conforming ircd
-
cve: CVE-2018-7050
cwe: CWE-476, CWE-475
exploitable_by: server
affected_versions:
to: [ 1.0.6, 1.1.0 ]
fixed_version: [ 1.0.7, 1.1.1 ]
credit: 'Joseph Bisch'
description: Null pointer dereference when an "empty" nick has been observed by Irssi.
mitigating_info: requires a broken ircd or control over the ircd
-
cve: CVE-2018-7052
cwe: CWE-690
exploitable_by: client
affected_versions:
to: [ 1.0.6, 1.1.0 ]
fixed_version: [ 1.0.7, 1.1.1 ]
credit: 'Joseph Bisch'
description: When the number of windows exceed the available space, Irssi would crash due to Null pointer dereference.
mitigating_info: depends on non-default configuration
-
cve: CVE-2018-7051
cwe: CWE-126
exploitable_by: client
affected_versions:
from: 0.8.7
to: [ 1.0.6, 1.1.0 ]
fixed_version: [ 1.0.7, 1.1.1 ]
credit: Oss-Fuzz
description: Certain nick names could result in out of bounds access when printing theme strings.
recommended_action: >
Upgrade to the latest stable Irssi version. Irssi 1.0.7 and 1.1.1 are maintenance release in the
1.0 and 1.1 series, without any new features.
After installing the updated packages, one can issue the /upgrade
command to load the new binary. TLS connections will require
/reconnect.
---
|
