Security Advisory 2020-02 - InspIRCd Documentation

InspIRCd Security Advisory 2020-02

Summary

The websocket module before v3.8.1 contains a double free vulnerability. When combined with a HTTP reverse proxy this vulnerability can be used by any user who is [GKZ]-lined to remotely crash an InspIRCd server.

Thanks to @benharri for reporting this issue.

Affected Versions

This vulnerability is present in the following releases:

All versions of v3 before v3.8.1

Recommended Action

This vulnerability is fixed in version 3.8.1. It is strongly recommended that all affected users upgrade.

If upgrading is not possible then the websocket module should be unloaded or reconfigured to allow users to connect directly instead of through a HTTP reverse proxy.

History

2019-01-14 — The vulnerability was introduced as part of a fix for another issue.
2020-11-18 — A crash bug was reported to the InspIRCd team.
2020-11-19 — The cause of the crash was identified by the InspIRCd team and a fix was prepared.
2020-11-20 — InspIRCd v3.8.1 was released with a fix for the crash vulnerability.

References

InspIRCd commit 061a2e1a.

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search