Debian Bug report logs -
#601521
irssi-plugin-silc vulnerable to CVE-2010-1156
Reported by: Silvio Cesare <silvio.cesare@gmail.com>
Date: Wed, 27 Oct 2010 00:03:01 UTC
Severity: important
Tags: security
Found in version 1.1.4-1+lenny
Fixed in version 1.1.7-1
Done: Jérémy Bobbio <lunar@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian SILC Team <pkg-silc-devel@lists.alioth.debian.org>:
Bug#601521; Package irssi-plugin-silc.
(Wed, 27 Oct 2010 00:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Silvio Cesare <silvio.cesare@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian SILC Team <pkg-silc-devel@lists.alioth.debian.org>.
(Wed, 27 Oct 2010 00:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: irssi-plugin-silc
Version: 1.1.4-1+lenny
Severity: important
Tags: security
silc-client embeds irssi. irssi has this known vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1156. I have
confirmed that the following patch has not been applied
http://svn.irssi.org/cgi-bin/viewvc.cgi/irssi/trunk/src/core/nicklist.c?root=irssi&r1=4922&r2=5126
.
[Message part 2 (text/html, inline)]
Reply sent
to Jérémy Bobbio <lunar@debian.org>:
You have taken responsibility.
(Thu, 28 Oct 2010 17:33:12 GMT) (full text, mbox, link).
Notification sent
to Silvio Cesare <silvio.cesare@gmail.com>:
Bug acknowledged by developer.
(Thu, 28 Oct 2010 17:33:12 GMT) (full text, mbox, link).
Message #10 received at 601521-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1.1.7-1
> silc-client embeds irssi. irssi has this known vulnerability
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1156. I have
> confirmed that the following patch has not been applied
> http://svn.irssi.org/cgi-bin/viewvc.cgi/irssi/trunk/src/core/nicklist.c?root=irssi&r1=4922&r2=5126
> .
The embedded code copy is not used anymore since version 1.1.7-1.
Quoting debian/changelog:
* Since Debian Policy 3.8.0, embedded code copy are officially not
allowed in Debian anymore. As it was a minor fork of irssi, the
silc package providing the official SILC client has been
discontinued.
* Use a custom build system for the irssi plugin. We now
Build-Depends on irssi-dev instead of relying on irssi embedded code
copy. (Closes: #448186, #522080)
* Remove extra symlinks for irssi plugin. (Closes: #476177)
* Ship the silc package as a transitional package which depends
on irssi and irssi-plugin-silc and contains a NEWS file.
Lenny ships version 1.1.7-2 and Etch is unsupported at this time.
Nothing to act on, hence closing this bug.
Cheers,
--
Jérémy Bobbio .''`.
jeremy.bobbio@irq7.fr : : : lunar@debian.org
`. `'`
`-
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 26 Nov 2010 07:32:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 05:15:55 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.