InspIRCd Security Advisory 2021-01
InspIRCd before v3.10.0 contains a memory disclosure vulnerability. This vulnerability allows access to recently deallocated memory by any user able to connect to a server. It is believed that the most the most likely memory to be disclosed is information regarding messages sent to the calling user but other information can not currently be ruled out.
Thanks to @AndrioCelos for reporting this issue.
This vulnerability is present in the following releases:
This vulnerability is fixed in version 3.10.0. It is strongly recommended that all affected users upgrade.
- 2020-10-26 — The vulnerability was introduced.
- 2021-05-14 — A malformed PONG response was reported to the InspIRCd Team.
- 2021-05-14 — The cause of the malformed response was identified as a memory disclosure by the InspIRCd team and a fix was prepared.
- 2021-05-14 — InspIRCd v3.10.0 was released with a fix for the memory disclosure vulnerability.