Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#38885 - [quassel-core] security update for CVE-2013-6404
Attached to Project:
Community Packages
Opened by RbN (RbN) - Thursday, 13 February 2014, 08:31 GMT
Last edited by Jaroslav Lichtblau (Dragonlord) - Tuesday, 25 February 2014, 19:48 GMT
Opened by RbN (RbN) - Thursday, 13 February 2014, 08:31 GMT
Last edited by Jaroslav Lichtblau (Dragonlord) - Tuesday, 25 February 2014, 19:48 GMT
|
DetailsDescription (from MITRE[0]):
Quassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/. Resolution: corrective update : 9.2 [1] Ressources: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6404 [1] http://quassel-irc.org/pub/quassel-0.9.2.tar.bz2 |
This task depends upon
Closed by Jaroslav Lichtblau (Dragonlord)
Tuesday, 25 February 2014, 19:48 GMT
Reason for closing: Fixed
Additional comments about closing: updated to quassel-client 0.9.2-1
Tuesday, 25 February 2014, 19:48 GMT
Reason for closing: Fixed
Additional comments about closing: updated to quassel-client 0.9.2-1
Comment by RbN (RbN) -
Thursday, 13 February 2014, 08:45 GMT
Forget CVE ID in the title, one more time: CVE-2013-6404