Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

Gentoo: 201311-03 Normal: Quassel DoS & SQL Injection Threats

gentoo
Calendar Grey November 7, 2013
Dist Gentoo Esm H88
Gentoo GLSA 202211-05 tackles security flaws in Pidgin which may cause Denial of Service and potential XSS threats, highlighting the need for immediate patching.
Two vulnerabilities in Quassel may result in Denial of Service or SQL injection.

Summary

Two vulnerabilities have been found in Quassel: * Quassel does not properly handle multiple CTCP requests (CVE-2010-3443). * Quassel, when used with certain versions of Qt and PostgreSQL, does not sanitize user input (CVE-2013-4422).

Topics%20covered

Topics Covered

security advisory security issue software update SQL injection Denial of Service Gentoo Linux Quassel

Resolution

All Quassel users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-irc/quassel-0.9.1"

References

[ 1 ] CVE-2010-3443 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3443 [ 2 ] CVE-2013-4422 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4422

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201311-03
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: Quassel: Multiple Vulnerabilities
Date: November 07, 2013
Bugs: #338879, #487632
ID: 201311-03

Topics%20covered

Topics Covered

security advisory security issue software update SQL injection Denial of Service Gentoo Linux Quassel

Synopsis

Two vulnerabilities in Quassel may result in Denial of Service or SQL injection.

Background

Quassel is a Qt4/KDE4 IRC client suppporting a remote daemon for 24/7 connectivity.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-irc/quassel < 0.9.1 >= 0.9.1

Impact

===== A remote attacker could send multiple CTCP requests in single private message, possibly resulting in a Denial of Service condition. Futhermore, a remote attacker may be able to execute arbitrary SQL statements.

Workaround

There is no known workaround at this time.

Related News

Your message here