blob: 0cc2f80f9081dc6b4607e629b51197c96248b0c4 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200903-02">
<title>ZNC: Privilege escalation</title>
A vulnerability in ZNC allows for privilege escalation.
<product type="ebuild">znc</product>
<announced>March 06, 2009</announced>
<revised>March 06, 2009: 01</revised>
<package name="net-irc/znc" auto="yes" arch="*">
<unaffected range="ge">0.066</unaffected>
<vulnerable range="lt">0.066</vulnerable>
ZNC is an advanced IRC bouncer.
cnu discovered multiple CRLF injection vulnerabilities in ZNC's
webadmin module.
<impact type="high">
A remote authenticated attacker could modify the znc.conf configuration
file and gain privileges via newline characters in e.g. the QuitMessage
field, and possibly execute arbitrary code.
There is no known workaround at this time.
All ZNC users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-irc/znc-0.066&quot;</code>
<uri link="">CVE-2009-0759</uri>
<metadata tag="requester" timestamp="Thu, 05 Mar 2009 20:11:58 +0000">
<metadata tag="submitter" timestamp="Thu, 05 Mar 2009 22:51:15 +0000">
<metadata tag="bugReady" timestamp="Fri, 06 Mar 2009 22:00:32 +0000">