Debian Security Advisory

DLA-1427-1 znc -- LTS security update

Date Reported:
15 Jul 2018
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2018-14055, CVE-2018-14056.
More information:

It was discovered that there were two issues in znc, a modular IRC bouncer:

  • There was insufficient validation of lines coming from the network allowing a non-admin user to escalate his privilege and inject rogue values into znc.conf. (CVE-2018-14055)
  • A path traversal vulnerability (via "../" being embedded in a web skin name) to access files outside of the allowed directory. (CVE-2018-14056)

For Debian 8 Jessie, these issues have been fixed in znc version 1.4-2+deb8u1.

We recommend that you upgrade your znc packages.