On Fri, Aug 23, 2013 at 10:59:37PM +0200, Alexander Barton wrote:
A severe bug in ngIRCd 18 up to and including 20.2 has been discovered which will crash the daemon (denial of service) and can happen when the daemon fails to send the optional "notice auth" message to new clients connecting to the server (CVE-2013-5580).
This is _wrong_.
After even more checking by Christoph Biedl and myself, it turns out that ngIRCd 18 and 19.x are _NOT_ affected by this bug.
These ngIRCd releases contain an other (already known) bug that renders the "NoticeAuth" options quite dysfunctional and even incompatible with SSL-encrypted connections (this is fixed in ngIRCd 20), but can't crash the daemon as stated above.
So only ngIRCd 20, 20.1, and 20.2 are affected and sould be upgraded to ngIRCd 20.3 (or newer).
Please note that only setups having the configuration option "NoticeAuth" enabled are affected, which is not the default.
This is still true, even for ngIRCd 20, 20.1, and 20.2.
Thanks Alex