1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1067237: ngircd: missing ssl security patch in debian's ngircd pack

    From jose@21:1/5 to All on Wed Mar 20 17:30:01 2024
    Source: ngircd
    Version: 26.1-1
    Severity: important
    Tags: patch

    Dear Maintainer,

    The master branch of the upstream ngircd changelog informs about an
    SSL security related patch [1] that is missing in the -26-1 ngircd debian package patches.

    Here's the Changelog entry:

    [[
    Respect "SSLConnect" option for incoming connections and do not accept
    incoming plain-text ("non SSL") server connections for servers configured
    with "SSLConnect" enabled. This change prevents an authenticated
    client-server being able to force the server-server to send its password
    on a plain-text connection when SSL/TLS was intended.
    ]]

    It may be interesting to cherry-pick the patch that fixes this issue [2].
    I added it by hand and didn't detect any issue compiling or running
    ngircd.


    [1] https://github.com/ngircd/ngircd/blob/c1c0bca0e2fa7b678a18155abaf364fcb9dab427/ChangeLog#L53
    [2] https://github.com/ngircd/ngircd/commit/21c1751b045b0be49e584a4ba191a330e0c381bb

    *** Reporter, please consider answering these questions, where appropriate ***

    * What led up to the situation?

    Browsing the changelog on the github repository for the ngircd server.

    * What exactly did you do (or not do) that was effective (or
    ineffective)?

    I cherry-picked and added the upstream patch from github [2] to the
    debian package source obtained thru apt-get source, then compiled and installed the package.

    * What was the outcome of this action?

    Although I cannot run the test scenario, this patches the SSL issue
    reported by the code developer, avoid tricking the server to send
    its password on the clear in server-server connections..

    -- System Information:
    Debian Release: 12.5
    APT prefers stable-updates
    APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
    Architecture: amd64 (x86_64)

    Kernel: Linux 6.1.0-18-amd64 (SMP w/4 CPU threads; PREEMPT)
    Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Christoph Biedl@21:1/5 to All on Sun Mar 31 20:30:01 2024
    Control: tags 1067237 pending

    jose wrote...

    The master branch of the upstream ngircd changelog informs about an
    SSL security related patch [1] that is missing in the -26-1 ngircd debian package patches.

    Thanks, this is on radar and I'm in contact with upstream on how to deal
    with this.

    Christoph

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAmYJqakACgkQxCxY61kU kv3G3Q//ZC5FrhB0oQGdPf0GViXNO+jGGILEiVorxl2q6sEV4wOFokB++9lJ3BW8 481zC+TdUwyIRm4ycnCCinEgFd5BTWR/zipSJpGcg6Z83qhy2IubhiqtyOgodsTf xoAUIaCV94tMTz4o/tQxl9x3+YizS+NF3FDMbdLpmm5Y3Z1sotr786Q/n7Iy5wiC jC2VqB2FinbMTsQlL/2prFMsFwt67JxIApdDEbKnaMh+ic90/KbKl7gdwyI/rgoE ElOj3r5c50XQ3q+i1MP0VKo9aOmWmOxKQvIcM0YiXkeZJOVdR1qEMqT8kbqrltQd Cz/6nw5Pqrtvw697yu1fy8K1kch52djVS11WoNk3gGJPY06SbULEVZl51i9yRfQk PHfdfdAm38NoRKnZkcSz7zdK0kBBmsvVYx7e3wrO4099C6qnkdlVa4A4JR0nKc5L VUTbNICrsgeFJt+Ih1vX2Jc/55ZnSAsmxuY/xlMYZ1zyOPPYdYXLbh84i2lc22w6 r9LDbeCRXZb8ThnBXuFwK67vR2SQJrFw2FvGeJd4MeFBF62KQLGWRPbkSDK1mfVq Yz/hTjxg/yXg6ulXxbMcrU1ZguGjowfFKwyrqpKCPboShQFHpuUef4RRMJ290TrT oxW+DVCmoYDiY5Qpgk+9pxCY14u1Wi52GqZdpK6e9garDjNp+8o=
    =pfmi
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)