[gentoo-announce] [ GLSA 201209-09 ] Atheme IRC Services: Denial of Service - gentoo-announce

From:	Sean Amoss <ackle@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201209-09 ] Atheme IRC Services: Denial of Service
Date:	Tue, 25 Sep 2012 11:21:31
Message-Id:	`506191B2.3060700@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201209-09

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Atheme IRC Services: Denial of Service

9

     Date: September 25, 2012

10

     Bugs: #409103

11

       ID: 201209-09

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability has been found in Atheme which may lead to Denial of

19

Service or a bypass of security restrictions.

20

21

Background

22

==========

23

24

Atheme is a portable and secure set of open-source and modular IRC

25

services. CertFP is certificate fingerprinting used to authenticate

26

users to nicknames.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  net-irc/atheme-services      < 6.0.10                  >= 6.0.10

35

36

Description

37

===========

38

39

The myuser_delete() function in account.c does not properly remove

40

CertFP entries when deleting user accounts.

41

42

Impact

43

======

44

45

A remote authenticated attacker may be able to cause a Denial of

46

Service condition or gain access to an Atheme IRC Services user

47

account.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All Atheme users should upgrade to the latest version:

58

59

  # emerge --sync

60

  # emerge --ask --oneshot --verbose ">=net-irc/atheme-services-6.0.10"

61

62

References

63

==========

64

65

[ 1 ] CVE-2012-1576

66

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1576

67

68

Availability

69

============

70

71

This GLSA and any updates to it are available for viewing at

72

the Gentoo Security Website:

73

74

 http://security.gentoo.org/glsa/glsa-201209-09.xml

75

76

Concerns?

77

=========

78

79

Security is a primary focus of Gentoo Linux and ensuring the

80

confidentiality and security of our users' machines is of utmost

81

importance to us. Any security concerns should be addressed to

82

security@g.o or alternatively, you may file a bug at

83

https://bugs.gentoo.org.

84

85

License

86

=======

87

88

Copyright 2012 Gentoo Foundation, Inc; referenced text

89

belongs to its owner(s).

90

91

The contents of this document are licensed under the

92

Creative Commons - Attribution / Share Alike license.

93

94

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201209-09
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Atheme IRC Services: Denial of Service
9	Date: September 25, 2012
10	Bugs: #409103
11	ID: 201209-09
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability has been found in Atheme which may lead to Denial of
19	Service or a bypass of security restrictions.
20
21	Background
22	==========
23
24	Atheme is a portable and secure set of open-source and modular IRC
25	services. CertFP is certificate fingerprinting used to authenticate
26	users to nicknames.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 net-irc/atheme-services < 6.0.10 >= 6.0.10
35
36	Description
37	===========
38
39	The myuser_delete() function in account.c does not properly remove
40	CertFP entries when deleting user accounts.
41
42	Impact
43	======
44
45	A remote authenticated attacker may be able to cause a Denial of
46	Service condition or gain access to an Atheme IRC Services user
47	account.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All Atheme users should upgrade to the latest version:
58
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=net-irc/atheme-services-6.0.10"
61
62	References
63	==========
64
65	[ 1 ] CVE-2012-1576
66	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1576
67
68	Availability
69	============
70
71	This GLSA and any updates to it are available for viewing at
72	the Gentoo Security Website:
73
74	http://security.gentoo.org/glsa/glsa-201209-09.xml
75
76	Concerns?
77	=========
78
79	Security is a primary focus of Gentoo Linux and ensuring the
80	confidentiality and security of our users' machines is of utmost
81	importance to us. Any security concerns should be addressed to
82	security@g.o or alternatively, you may file a bug at
83	https://bugs.gentoo.org.
84
85	License
86	=======
87
88	Copyright 2012 Gentoo Foundation, Inc; referenced text
89	belongs to its owner(s).
90
91	The contents of this document are licensed under the
92	Creative Commons - Attribution / Share Alike license.
93
94	http://creativecommons.org/licenses/by-sa/2.5