group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1781925] Re: Vulnerabilities in znc package CVE-2018-14055 CVE-2018-14056

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1781925@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Aug 2018 02:32:52 -0000
Reply-to: Bug 1781925 <1781925@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package znc - 1.2-3ubuntu0.1

---------------
znc (1.2-3ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Privilege escalation for non-admin users (LP: #1781925)
    - debian/patches/CVE-2018-14055-1.patch: Remove newlines from incoming
      network configuration change directives. Based on upstream patch.
    - debian/patches/CVE-2018-14055-2.patch: Remove extra newlines when
      writing out configuration file. Based on upstream patch.
    - CVE-2018-14055
  * SECURITY UPDATE: Path traversal flaw allows access to files outside of
    skins (LP: #1781925)
    - debian/patches/CVE-2018-14056.patch: Replace path traversal components
      in skin names to ensure path traversal is not possible. Based on
      upstream patch.
    - CVE-2018-14056
  * SECURITY UPDATE: Denial of service (crash) from remote authenticated users
    - debian/patches/CVE-2014-9403.patch: Check whether channel exists
      when dealing with user specified channel name.  Based on upstream
      patch.
    - CVE-2014-9403

 -- Alex Murray <alex.murray@xxxxxxxxxxxxx>  Tue, 07 Aug 2018 14:38:37
+0930

** Changed in: znc (Ubuntu Trusty)
       Status: Confirmed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9403

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1781925

Title:
  Vulnerabilities in znc package CVE-2018-14055 CVE-2018-14056

Status in znc package in Ubuntu:
  Fix Released
Status in znc source package in Trusty:
  Fix Released
Status in znc source package in Xenial:
  Fix Released
Status in znc source package in Artful:
  Won't Fix
Status in znc source package in Bionic:
  Fix Released
Status in znc source package in Cosmic:
  Fix Released

Bug description:
  Multiple remote vulnerabilities reported in ZNC package:
  CVE-2018-14055, CVE-2018-14056

  Debian LTS has updates available:
  http://www.linuxsecurity.com/content/view/213083?rdf

  Relevant patches in znc git:

  https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773
  https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e
  https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d

  Currently no updates available in Xenial, did not see any existing
  reports.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/znc/+bug/1781925/+subscriptions