IRC-Junkie.org – IRC News

All about Internet Relay Chat

Atheme NickServ CertFP Vulnerability

A security vulnerability related to certificate fingerprints has been found in the Atheme IRC services package.

 

All versions that have CertFP functionality are affected, which are version 5.2.x, 6.x and the current testing release, version 7.x.

 

The vulnerability is triggered once a NickServ user is dropped or expires that has a CertFP entry attached to it which will not be cleaned up upon deletion of the user account.

This will cause the CertFP entry to be in limbo and might result in pointing the entry to an other account which will result in being able to identify as another user via that certificate fingerprint.

 

Atheme maintainer nenolod released an update for all currently maintained versions of the services package so it is advised that you upgrade your IRC services immediately.

 

The advisory can be found here and the original bug report can be found here.

Copyright secured by Digiprove

Your email address will not be published. Required fields are marked *

*