Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Paul Wise <pabs3@bonedaddy.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
Package: cgiirc
Version: 0.5.4
Severity: grave
Tags: security
Justification: user security hole
Upstream has just released 0.5.8, which fixes a buffer overflow in
client.c amongst other things. The 0.5.8 timeline can be seen here:
http://cvs.cgiirc.org/timeline?d=300&e=2006-Apr-30&c=2&px=&s=0&dm=1&x=1&m=1
The patches can be seen here:
http://cvs.cgiirc.org/chngview?cn=283http://cvs.cgiirc.org/chngview?cn=263
There is no CVE assigned yet as far as I know.
0.5.8 also adds a login secret feature to help stop flooding:
> I have also added a feature which hopefully will stop some of the
> lamer attacks on CGI:IRC. If you set the 'login secret' option then
> an authentication token is added to the URL so it is not enough to
> simply request nph-irc.cgi like some flooding scripts have done.
http://cvs.cgiirc.org/chngview?cn=277
--
bye,
pabs
http://wiki.debian.org/PaulWise
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Elrond <elrond+bugs.debian.org@samba-tng.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
To: Paul Wise <pabs3@bonedaddy.net>, 365680@bugs.debian.org
Subject: Re: Bug#365680: cgiirc: buffer overflow in client.c
Date: Tue, 2 May 2006 17:50:07 +0200
package cgiirc
tags 365680 + confirmed
thanks
On Tue, May 02, 2006 at 10:15:37AM +0800, Paul Wise wrote:
[...]
> Upstream has just released 0.5.8, which fixes a buffer overflow in
> client.c amongst other things. The 0.5.8 timeline can be seen here:
[...]
Okay, I can confirm the buffer overflow.
> http://cvs.cgiirc.org/chngview?cn=283
> http://cvs.cgiirc.org/chngview?cn=263
Okay, that helped in fixing it, my upcoming patch is based
on this.
> There is no CVE assigned yet as far as I know.
I don't know, if the security team requires this.
> 0.5.8 also adds a login secret feature to help stop flooding:
>
> > I have also added a feature which hopefully will stop some of the
> > lamer attacks on CGI:IRC. If you set the 'login secret' option then
> > an authentication token is added to the URL so it is not enough to
> > simply request nph-irc.cgi like some flooding scripts have done.
>
> http://cvs.cgiirc.org/chngview?cn=277
I have decided to not backport this for the security
release of 0.5.4. If the security team decides, that this
is needed, I leave that to them.
But AFAIK, it's only raising the DoS-burden a little.
Elrond
Tags added: confirmed
Request was from Elrond <elrond+bugs.debian.org@samba-tng.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
Hi,
On Tue, May 02, 2006 at 10:15:37AM +0800, Paul Wise wrote:
> Upstream has just released 0.5.8, which fixes a buffer overflow in
> client.c amongst other things. The 0.5.8 timeline can be seen here:
Just as a short-term reply and for documentation reasons regarding this
issue:
The Debian package ships with a safe default configuration and is thus
not per-se vulnerable.
However, of course it is vulnerable if the configuration is changed to
use client.cgi instead of client-perl.cgi.
regards
Mario
--
I've never been certain whether the moral of the Icarus story should
only be, as is generally accepted, "Don't try to fly too high," or
whether it might also be thought of as, "Forget the wax and feathers
and do a better job on the wings." -- Stanley Kubrick
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to micah <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
To: 365680@bugs.debian.org, 365680-submitter@bugs.debian.org
Subject: I have requested a CVE assignment
Date: Tue, 02 May 2006 12:48:07 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have requested a CVE assignment for this vulnerability, and will send
it on as soon as it is obtained. Please include this reference in any
changelog resolving this issue so that it can be appropriately tracked.
>> There is no CVE assigned yet as far as I know.
>I don't know, if the security team requires this.
Yes, it is required for DSAs, and for tracking issues.
Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEV41H9n4qXRzy1ioRAsNEAJ42NM4+aDK/IeHFXIq662nz8GkYvwCeLYvv
zHX7nGwuG1i3V4DrH2q0PPc=
=usJH
-----END PGP SIGNATURE-----
Message sent on to Paul Wise <pabs3@bonedaddy.net>:
Bug#365680.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to David Leadbeater <dgl@dgl.cx>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mario: It does affect all configurations, just because the
configuration file says client-perl.cgi it doesn't stop someone
accessing client.cgi as the package builds client.cgi and puts it
into the cgi-bin directory.
David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFEV7cWyZNxBNbUB0QRAos8AJ48GZP/9Q/74Sxz8Rhnx+dFJR0kAgCfURUi
B648ihWJFHLkAMhbYYBYBmU=
=sFJ+
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
On Tue, May 02, 2006 at 08:46:28PM +0100, David Leadbeater wrote:
> Mario: It does affect all configurations, just because the
> configuration file says client-perl.cgi it doesn't stop someone
> accessing client.cgi as the package builds client.cgi and puts it
Yes, i missed that in the first look iteration.
We've quite finished an intermediate security release.
Mario
--
We are the Bore. Resistance is futile. You will be bored.
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Elrond <elrond+bugs.debian.org@samba-tng.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
Hi,
The appended patch should fix this issue.
It's based on the upstream patches in 0.5.8.
This is the result of Mario already reviewing it.
Everybody else is invited to review it too.
To create a new package:
- Place the .dpatch in debian/patches
- Add 50_client-c_bufferoverflow_fix.dpatch to
debian/patches/
- Create a new changelog entry.
To Do / Done:
* I verified, that the above builds a fresh package
* Testing is needed
* Tag this bug "patch"
* Let the security team to their job
Elrond
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
Cc: 365680@bugs.debian.org, 365680-submitter@bugs.debian.org,
David Leadbeater <dgl@dgl.cx>
Subject: Re: I have requested a CVE assignment
Date: Tue, 02 May 2006 17:21:41 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-2148 was assigned for this vulnerability.
Micah
micah wrote:
>
> I have requested a CVE assignment for this vulnerability, and will send
> it on as soon as it is obtained. Please include this reference in any
> changelog resolving this issue so that it can be appropriately tracked.
>
>
>>>>There is no CVE assigned yet as far as I know.
>>>
>>>I don't know, if the security team requires this.
>
>
> Yes, it is required for DSAs, and for tracking issues.
>
> Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEV81k9n4qXRzy1ioRAiQNAJsHAGA3glInKVggdudeH6EwM1nGzwCdFSrL
F2/2SpikmyxoAi/dL4YgwOc=
=a0fE
-----END PGP SIGNATURE-----
Message sent on to Paul Wise <pabs3@bonedaddy.net>:
Bug#365680.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
To: team@security.debian.org, debian-cgiirc@Wunder-Nett.org
Cc: 365680@bugs.debian.org
Subject: Re: CGIIRC vulnerability (Bug#365680)
Date: Thu, 4 May 2006 16:55:39 +0200
Elrond wrote:
> Nearly all the relevant information, that is currently
> available regarding this issue, is in the bug logs.
> (see: <http://bugs.debian.org/365680>)
Are you going to update the package in sid as well?
Or should the package propagate via stable-security?
Regards,
Joey
--
It's practically impossible to look at a penguin and feel angry.
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
To: team@security.debian.org, debian-cgiirc@Wunder-Nett.org
Cc: 365680@bugs.debian.org
Subject: Re: CGIIRC vulnerability (Bug#365680)
Date: Thu, 4 May 2006 16:50:55 +0200
Elrond wrote:
> Nearly all the relevant information, that is currently
> available regarding this issue, is in the bug logs.
> (see: <http://bugs.debian.org/365680>)
>
> Very Short summary:
>
> * bufferoverflow in C code
> * remotely exploitable
> * CVE has been requested by micah
> * Untested patch exists
>
> I _might_ be able to test, wether the package still works
> with the patch within the next 24 to 48 hours, but don't
> hold your breath on this.
Please let us know.
> As this has been disclosed publicly now anyway, I'd suggest
> keeping all important (new) information in the bug logs for
> easy review by interested parties.
Update prepared.
Regards,
Joey
--
It's practically impossible to look at a penguin and feel angry.
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
package cgiirc
tags 365680 + patch
thanks
On Tue, May 02, 2006 at 10:30:11PM +0200, Elrond wrote:
> To create a new package:
> - Place the .dpatch in debian/patches
> - Add 50_client-c_bufferoverflow_fix.dpatch to
> debian/patches/
- Add 50_client-c_bufferoverflow_fix to debian/patches/00list
> - Create a new changelog entry.
>
> To Do / Done:
> * I verified, that the above builds a fresh package
Dito. It does also install/upgrade clean :)
> * Testing is needed
I did my best :)
> * Tag this bug "patch"
On the way.
> * Let the security team to their job
Okay :)
regards
Mario
--
There is nothing more deceptive than an obvious fact.
-- Sherlock Holmes by Arthur Conan Doyle
Tags added: patch
Request was from "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to "Mario 'BitKoenig' Holbe" <Mario.Holbe@TU-Ilmenau.DE>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
On Thu, May 04, 2006 at 04:55:39PM +0200, Martin Schulze wrote:
> Are you going to update the package in sid as well?
We're preparing a new version for sid, which of course will include the
fix, too. But this will take a few days longer, so...
> Or should the package propagate via stable-security?
Yes, for the first it should be okay to propagate the package via
stable-security.
On Thu, May 04, 2006 at 04:50:55PM +0200, Martin Schulze wrote:
> Elrond wrote:
> > I _might_ be able to test, wether the package still works
> Please let us know.
Tests are done. Everything seems to work well.
> Update prepared.
Go on :)
Please make sure you did also add 50_client-c_bufferoverflow_fix to
debian/patches/00list in order to really make it active, since Elrond
did forget to mention this in his original ToDo list.
Thanks for your work & best regards
Mario
--
File names are infinite in length where infinity is set to 255 characters.
-- Peter Collinson, "The Unix File System"
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
Mario 'BitKoenig' Holbe wrote:
> > Elrond wrote:
> > > I _might_ be able to test, wether the package still works
> > Please let us know.
>
> Tests are done. Everything seems to work well.
>
> > Update prepared.
>
> Go on :)
> Please make sure you did also add 50_client-c_bufferoverflow_fix to
> debian/patches/00list in order to really make it active, since Elrond
> did forget to mention this in his original ToDo list.
Yup, did that.
Regards,
Joey
--
It's practically impossible to look at a penguin and feel angry.
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Elrond <elrond+bugs.debian.org@samba-tng.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
package cgiirc
retitle 365680 [CVE-2006-2148] cgiirc: buffer overflow in client.c
thanks
On Fri, May 05, 2006 at 07:10:57PM +0200, Mario 'BitKoenig' Holbe wrote:
> On Thu, May 04, 2006 at 04:55:39PM +0200, Martin Schulze wrote:
> > Are you going to update the package in sid as well?
>
> We're preparing a new version for sid, which of course will include the
> fix, too. But this will take a few days longer, so...
>
> > Or should the package propagate via stable-security?
>
> Yes, for the first it should be okay to propagate the package via
> stable-security.
If people using testing or sid (which has the same version
of cgiirc still) will get that version then too (until we
have 0.5.8-1 out), that would be cool too.
Elrond
Changed Bug title.
Request was from Elrond <elrond+bugs.debian.org@samba-tng.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
Elrond wrote:
> On Sun, May 07, 2006 at 09:16:35AM +0200, Martin Schulze wrote:
> [...]
> > If an update enters stable-security and the version in testing ist the
> > same as in stable, then the new version propagates into testing. If,
> > additionally, the version in unstable is the same, this very version
> > will propagate into unstable as well.
> >
> > So, it'll propagate automatically if you're not updating the package before.
>
> Very nice!
>
> What's missing for the DSA? (just curious / wanting to
> know, if there's something I should do)
Nothing else required by you.
Regards,
Joey
--
It's practically impossible to look at a penguin and feel angry.
Please always Cc to me when replying to me on the lists.
Reply sent to Elrond <elrond+bugs.debian.org@samba-tng.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Wise <pabs3@bonedaddy.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
To: 365680@bugs.debian.org,
control@bugs.debian.org
Subject: [CVE-2006-2148] cgiirc: buffer overflow in client.c not fixed in sid
Date: Wed, 7 Jun 2006 01:16:11 +0200
package cgiirc
reopen 365680
thanks
the fix has not been uploaded to unstable yet, but the BTS claims [1]
that it is resolved. Is this a bug in the version tracking of the
BTS?
http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=cgiirc
Bug reopened, originator not changed.
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
Subject: Re: Bug#365680: [CVE-2006-2148] cgiirc: buffer overflow in client.c not fixed in sid
Date: Wed, 07 Jun 2006 20:35:57 +0200
* Stefan Fritsch:
> the fix has not been uploaded to unstable yet, but the BTS claims [1]
> that it is resolved. Is this a bug in the version tracking of the
> BTS?
>
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=cgiirc
In fact, the sarge version should propagate to etch and sid. I don't
know why this hasn't happened yet.
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Elrond <elrond+bugs.debian.org@samba-tng.org>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
To: Florian Weimer <fw@deneb.enyo.de>, 365680@bugs.debian.org
Cc: Stefan Fritsch <sf@sfritsch.de>
Subject: Re: Bug#365680: [CVE-2006-2148] cgiirc: buffer overflow in client.c not fixed in sid
Date: Thu, 8 Jun 2006 12:57:59 +0200
On Wed, Jun 07, 2006 at 08:35:57PM +0200, Florian Weimer wrote:
> * Stefan Fritsch:
>
> > the fix has not been uploaded to unstable yet, but the BTS claims [1]
> > that it is resolved. Is this a bug in the version tracking of the
> > BTS?
> >
> > http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=cgiirc
>
> In fact, the sarge version should propagate to etch and sid. I don't
> know why this hasn't happened yet.
Who should we contact to help this?
(I'm working on a new upload, but having the fixed version
propagate first would really be nice.)
Elrond
Tags added: pending
Request was from Elrond <elrond+bugs.debian.org@samba-tng.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Damián Viano <debian@damianv.com.ar>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Wise <pabs3@bonedaddy.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: cgiirc
Source-Version: 0.5.9-1
We believe that the bug you reported is fixed in the latest version of
cgiirc, which is due to be installed in the Debian FTP archive:
cgiirc_0.5.9-1.diff.gz
to pool/main/c/cgiirc/cgiirc_0.5.9-1.diff.gz
cgiirc_0.5.9-1.dsc
to pool/main/c/cgiirc/cgiirc_0.5.9-1.dsc
cgiirc_0.5.9-1_i386.deb
to pool/main/c/cgiirc/cgiirc_0.5.9-1_i386.deb
cgiirc_0.5.9.orig.tar.gz
to pool/main/c/cgiirc/cgiirc_0.5.9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 365680@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Damián Viano <debian@damianv.com.ar> (supplier of updated cgiirc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 19 Jun 2006 19:44:44 -0300
Source: cgiirc
Binary: cgiirc
Architecture: source i386
Version: 0.5.9-1
Distribution: unstable
Urgency: high
Maintainer: Damián Viano <debian@damianv.com.ar>
Changed-By: Damián Viano <debian@damianv.com.ar>
Description:
cgiirc - web based irc client
Closes: 296114338181365680
Changes:
cgiirc (0.5.9-1) unstable; urgency=high
.
* New maintainer
* New upstream release (Closes: #296114)
+ Fixed security-related bug, and thus set urgency=high (Closes: #365680)
* Debian specific patches removed (they are all dated or applied):
+ 50_allow-port
+ 50_select-and-input
+ 50_viewconnects-times
+ 50_decode-cmdline
+ 50_http-client_ip
+ 50_multiple-ipaccess+always-close-ipaccess
+ 50_reconnect-link
+ 60_config-in-etc.after.multiple-ipaccess
+ 60_select-and-input-mine
+ 70_select-table-ie-fix
* Rewrote copyright file
+ Added copyright information for modules/IRC/UniqueHash.pm
+ Correctly differentiate between copyright and license (Closes: #338181)
* Updated watch file
* Updated standards version to 3.7.2
+ moved images to /usr/share/images/cgiirc
+ added dependency on httpd-cgi and removed redundant recommends
* Updated compat level for debhelper to 5
Files:
12cd3d33ef5828a18a1936cb91693734 561 net extra cgiirc_0.5.9-1.dsc
2ca89a52ca51fcc7287a832701b6915f 135163 net extra cgiirc_0.5.9.orig.tar.gz
cdc2ecf030afb893c15773d49e68d68a 4554 net extra cgiirc_0.5.9-1.diff.gz
444b6b6a24c521a2a07757b8a8922687 128218 net extra cgiirc_0.5.9-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEl1smlAuUx1tI/64RAqHYAKCcS+koLsKPVYfhPyRKu6sytf3hSACgiiRL
/qim+EZaFRNbYJiNQiCRcG4=
=8FqF
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Mario Holbe <debian-cgiirc@Wunder-Nett.org>: Bug#365680; Package cgiirc.
(full text, mbox, link).
Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Mario Holbe <debian-cgiirc@Wunder-Nett.org>.
(full text, mbox, link).
Subject: mention CVE ID # (Re: Bug#338181: marked as done (cgiirc: Improper copyright file))
Date: Tue, 20 Jun 2006 08:15:57 -0400
> * New maintainer
Thanks for maintaining cgiirc :)
> * New upstream release (Closes: #296114)
> + Fixed security-related bug, and thus set urgency=high (Closes: #365680)
Please mention the CVE ID [CVE-2006-2148] in the changelog; adding it
to this entry in the next revision is fine. I think the security
teams use this to generate their "nonvuln" lists and their vuln
matrices and such.
Justin
Changed Bug submitter from Paul Wise <pabs3@bonedaddy.net> to Paul Wise <pabs@debian.org>.
Request was from Paul Wise <pabs@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 18:05:16 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.