Quassel is vulnerable to a denial of service if it receives multiple CTCP requests in one PRIVMSG. The new version of Quassel (0.6.3 and 0.7) now answer with one packed NOTICE response containing all CTCP replies. This affects Quassel as provided by Fedora. References: [1] http://quassel-irc.org/node/115 [2] http://bugs.quassel-irc.org/issues/1024 [3] http://bugs.quassel-irc.org/projects/quassel-irc/repository/revisions/fdec4a88742d1586a5fdfad767151c72a4a82af2/diff
Created quassel tracking bugs for this issue Affects: fedora-all [bug 636944]
This has been assigned the name CVE-2010-3443.
This was reported over a month ago, and there is a bugfix release available that claims to fix this. Could the updated version be made available at least in Fedora 13 updates-testing?
Fixed in Fedora, 20111107, via quassel-0.7.1-1.fc* (new upstream version)