oss-sec mailing list archives

Re: CVE ID request: certificate spoofing through crafted SASL message in inspircd, charybdis

From: William Pitcock <nenolod () dereferenced org>
Date: Mon, 5 Sep 2016 17:26:06 -0500

Hello,

UnrealIRCd is also affected:

https://github.com/unrealircd/unrealircd/commit/f473e355e1dc422c4f019dbf86bc50ba1a34a766

As is Nefarious:

https://github.com/evilnet/nefarious2/commit/f50a84bad996d438e7b31b9e74c32a41e43f8be5

William

On Sun, Sep 4, 2016 at 4:45 PM, Antoine Beaupré <anarcat () debian org> wrote:

inspircd published 2.0.23 that fixes an issue with SASL
authentication. The details are here:

http://www.inspircd.org/2016/09/03/v2023-released.html

All versions are affected.

Upstream hasn't requested a CVE yet. I told them I would request one
from here on IRC.

It seems to also affect Charybdis, which fixed the issue in the
upcoming 3.5.3 release:

https://github.com/charybdis-ircd/charybdis/commit/818a3fda944b26d4814132cee14cfda4ea4aa824

A.

--
All governments are run by liars and nothing they say should be
believed.
                       - I. F. Stone

Current thread:

CVE ID request: certificate spoofing through crafted SASL message in inspircd, charybdis Antoine Beaupré (Sep 04)
- Re: CVE ID request: certificate spoofing through crafted SASL message in inspircd, charybdis William Pitcock (Sep 05)
  - Re: CVE ID request: certificate spoofing through crafted SASL message in inspircd, charybdis cve-assign (Sep 05)
- Re: CVE ID request: certificate spoofing through crafted SASL message in inspircd, charybdis cve-assign (Sep 05)