Security Advisory 2020-01 - InspIRCd Documentation

InspIRCd Security Advisory 2020-01

Summary

The pgsql module before v2.0.29 and v3.6.0 contains a use after free vulnerability. When combined with the sqlauth or sqloper modules this vulnerability can be used to remotely crash an InspIRCd server by any user able to connect to a server.

Affected Versions

This vulnerability is present in the following releases:

All versions of v2 before v2.0.29
All versions of v3 before v3.6.0

Recommended Action

This vulnerability is fixed in versions 2.0.29 and 3.6.0. It is strongly recommended that all affected users upgrade.

If upgrading is not possible then the pgsql module should be unloaded.

History

2020-04-22 — A crash vulnerability was reported to the InspIRCd team.
2020-04-23 — The cause of the crash was identified by the InspIRCd team and a fix was prepared.
2020-04-24 — InspIRCd v2.0.29 and v3.6.0 were released with a fix for the crash vulnerability.

References

InspIRCd commits 6f6fa13, a9e107c, and 07d7dea (v2).
InspIRCd commits b24a911, fbdd080, and b3f1db9 (v3).
CVE-2020-25269

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search