It was found that quasselcore is vulnerable to a denial of service attack by unauthenticated clients. The protocol negotiation did not take into account lack of a match, in which case PeerFactory::createPeer returns a nullptr, which is immediately dereferenced. References: http://seclists.org/oss-sec/2016/q2/174 Issue introduced in commit: https://github.com/quassel/quassel/commit/d1bf207 Upstream fix: https://github.com/quassel/quassel/commit/e678873
Created quassel tracking bugs for this issue: Affects: epel-7 [bug 1332112] Affects: fedora-all [bug 1332113]
quassel-0.12.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
quassel-0.12.4-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
quassel-0.12.4-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
quassel-0.12.4-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.