Two vulnerabilities were reported in ircd-hybrid, ircd-ratbox, and oftc-hybrid. The first is an integer overflow that can lead to a denial of service or, possibly, the execution of arbitrary code on the ircd server (CVE-2009-4016 (patch [1])), the second is a NULL pointer dereference that can lead to a denial of service of the ircd server (CVE-2010-0300 (patch [2])). This has been corrected in upstream ircd-ratbox 2.2.9 [3]. CVE-2010-0300 may be ircd-ratbox specific, however CVE-2009-4016 affects both ircd servers. [1] http://ircd.ratbox.org/cgi-bin/index.cgi/ircd-ratbox/branches/RATBOX_3_0/src/cache.c?r1=26334&r2=26732 [2] http://trac.oftc.net/projects/oftc-hybrid/changeset/1062 [3] http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000891.html This issue would affect Fedora 11, 12, and rawhide, as well as EPEL 4 and 5.
Created attachment 387193 [details] patch from Debian to correct CVE-2009-4016
Created attachment 387195 [details] patch from Debian to correct CVE-2010-0300
Upstream opted to remove the vulnerable clean_string() function in ircd-hybrid: http://svn.ircd-hybrid.org:8000/viewcvs.cgi?rev=1044&view=rev
Eric, Marek, any update with scheduling Fedora-* ircd-{hybrid,ratbox} updates? Thanks, Jan.
Sorry but i have orphaned ircd-hybrid. Eric
I am looking into it.
ircd-hybrid-7.2.3-11.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/ircd-hybrid-7.2.3-11.fc12
ircd-ratbox-2.2.8-7.fc12, ircd-hybrid-7.2.3-11.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.