There has been a vulnerability reported in InspIRCd 2.0.5 and possibly other versions of the IRC daemon.
The problem lies in the buffer handling of dns.cpp, can be triggered by remote users and might result in arbitrary code execution according to the advisory.
There currently is a workaround in the form of a config setting, namely to set
There also have been pull requests on GitHub by Atheme developer nenolod which fix the underlying code, although those – as of now – haven’t been pulled in yet.
The fixes above have been pulled in and the official sources have been moved from Gitorious to GitHub.
Due to the serious nature of the vulnerability, watch the development of this closely and even though there currently are no reports of this vulnerability being exploited in the wild.
The advisory can be found here and one of the temporary InspIRCd websites (which is currently still down after a break-in into ChatSpike/InspIRCd servers) can be found here.
We’ll keep this entry updated on any new developments regarding this issue.