Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1427-1 znc

Debian Security Advisory

DLA-1427-1 znc -- LTS security update

Date Reported:

15 Jul 2018

Affected Packages:

znc

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-14055, CVE-2018-14056.

More information:

It was discovered that there were two issues in znc, a modular IRC bouncer:

• There was insufficient validation of lines coming from the network allowing a non-admin user to escalate his privilege and inject rogue values into znc.conf. (CVE-2018-14055)
• A path traversal vulnerability (via "../" being embedded in a web skin name) to access files outside of the allowed directory. (CVE-2018-14056)

For Debian 8 Jessie, these issues have been fixed in znc version 1.4-2+deb8u1.

We recommend that you upgrade your znc packages.