ESB-2018.1389 - [Debian] quassel: Execute arbitrary code/commands - Remote/unauthenticated 2018-05-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1389
                   [DLA 1370-1] quassel security update
                                7 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           quassel
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000178  

Reference:         ESB-2018.1362

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/05/msg00001.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : quassel
Version        : 0.8.0-1+deb7u4
CVE ID         : CVE-2018-1000178

It was found that the Quassel IRC client was vulnerable to a remote
code execution vulnerability due to insufficient checks in the
deserializer code.

For Debian 7 "Wheezy", these problems have been fixed in version
0.8.0-1+deb7u4.

We recommend that you upgrade your quassel packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlrsaI0ACgkQnUbEiOQ2
gwLrTA/+LsK55dy56iwet2llgvU2tBZAWUHgGDwiPue3kw7uoH84fnZuQtnWspll
sJZdWJ2of+Wi/5NIpyokP7ypoURZ+Z7IuoE5rujgBIMTCFSK5z7kBaGjCZyoPn7u
sdtnmwq7LYOFVbI6PrFDqu2dyZrZzTZl+Sn+gP/jri8N4wwnKIxXU+ClbCBwTPct
wmGq2styPZzcMz0rKgd+rCuOBGjQdlHuo0yGXD41oDQrXtEsI9XGrGwoukwANOGC
JRoMmwrTjlNxaSQKSCLm915C/Z40urN+0K9oCXD84ShL+IWwHEGU/jTqbmd0Ymoo
YxE877Umnkaqk5L9RJqw8xzPjn7IRhrmbu09aOAZDSo8Ls63T/rfkdYelKwltnyg
0GGMEp1nm/vW7ElPnzovBKpccAYsVxC7iynety0CsdILTN6r3yJAs87hP7Vos1Df
ynXfrHjs+hd1vk1pYEKRu6SzFEUcdsnUxdiKbsLWoR1I+EQUjXckM9VKl9pETVej
vPPOugg49WCZN1G0i+OeSpT2pN/kuN6FGS6HEwHGIjhYoftuEdJ4MDbbUpAfamcn
e8F6Hu7E+X8R4yNxMh3/ROBYxWSda4GH+DZUSxq9Namuuwm38Lbl3l7Dy9ffN0Mq
bAG/NFdRxIackIOnkIH8DB5fe8KGlMc/WdzKRfLwCI/+CcfvhUs=
=Lwde
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWu+s94x+lLeg9Ub1AQib/Q/+NqGYwhl5BL9Wfkn+HuwSYDRLqHX0LS4f
1t8hCtOzBAWT6OqkY27DZOzlfb1pLp2XnqQ/RQL8BbIFFYPkvOb/+fSpKJPEV43Y
+yGVdP2jRvvY5/Gqy6Tu2hZRcwHfpJWzfLr71MdcBuMvcZbjYSfGi9YlVjH0Fl6f
T6w4ULjyKarKsSwWWChsVpKuqVs9H74avnI8TVhyaFvhVL9BV/p/tYWeLgozldRN
WqK3vA//pHNAR5a2aZZOhyBEeOv5odc3VhNZ6WrDiB0qVakD9uGm2tzkaaY3Mrtx
c8sfC8GIq7xga2yCUKgg0ODcWp9ZP5m+C7b+9FysxLySZ6NsOUXK5wPWDOFQViBj
kTAUtpQNdaWOKi3YQf5L7YLGk+3NnOhmF4seD/UqfhFcfUc/jgwWp6a1LHlwe/AP
oKafjoCKReElZpLBrE/xdx4tqYbjkw0vzrY0xS51rcd9OqfewFfu+s43IhlAop4d
n4WiYxGUG5elcKaJjyVRmMENl3lsiXmYWNBpg0QSHlLFT7BDXuB0vLGe0sVh1gAu
SF/CsL5nYU8S3Ig9DdzIZB0UTMyzPkWn9nC35b/2Fi1U8ZOmJp2DlGtTXSCzLQ68
vD7IyFJ0n0dsh/yZVCgJ/n+tDS1DlnB2EU8x2/O+WPL1AeTnVgjbttlcYsiuH6hy
vfoj40hQ7qs=
=NWZG
-----END PGP SIGNATURE-----

« Back to bulletins