Overview
Request 623567 accepted
- Update to version 1.7.1:
* Security critical fixes[edit]
+ CVE-2018-14055: non-admin user could gain admin privileges and shell access by injecting values into znc.conf.
+ CVE-2018-14056: path traversal in HTTP handler via ../ in a web skin name.
* Core
+ Fix znc-buildmod to not hardcode the compiler used to build ZNC anymore in CMake build (#1536)
+ Fix language selector. Russian and German were both not selectable.
+ Fix build without SSL support (#1554)
+ Fix several broken strings
+ Stop spamming users about debug mode. This feature was added in 1.7.0, now reverted. (#1541)
* New
+ Add partial Spanish, Indonesian, and Dutch translations
* Modules
+ adminlog: Log the error message again (regression of 1.7.0) (#1557)
+ admindebug: New module, which allows admins to turn on/off --debug in runtime (#1556)
+ flooddetach: Fix description of commands (#1548)
+ modperl: Fix memory leak in NV handling
+ modperl: Fix functions which return VCString (#1543)
+ modpython: Fix functions which return VCString (#1543)
+ webadmin: Fix fancy CTCP replies editor for Firefox. It was showing the plain version even when JS is enabled
* Internal
+ Deprecate one of the overloads of CMessage::GetParams(), rename it to CMessage::GetParamsColon()
+ Don't throw from destructor in the integration test
+ Fix a warning with integration test / gmake / znc-buildmod interaction.
- Drop upstream patches:
* znc-inject2.patch
* znc-inject.patch
* znc-traversal.patch
- Fix boo#1101280 CVE-2018-14056
Request History
pluskalm created request
- Update to version 1.7.1:
* Security critical fixes[edit]
+ CVE-2018-14055: non-admin user could gain admin privileges and shell access by injecting values into znc.conf.
+ CVE-2018-14056: path traversal in HTTP handler via ../ in a web skin name.
* Core
+ Fix znc-buildmod to not hardcode the compiler used to build ZNC anymore in CMake build (#1536)
+ Fix language selector. Russian and German were both not selectable.
+ Fix build without SSL support (#1554)
+ Fix several broken strings
+ Stop spamming users about debug mode. This feature was added in 1.7.0, now reverted. (#1541)
* New
+ Add partial Spanish, Indonesian, and Dutch translations
* Modules
+ adminlog: Log the error message again (regression of 1.7.0) (#1557)
+ admindebug: New module, which allows admins to turn on/off --debug in runtime (#1556)
+ flooddetach: Fix description of commands (#1548)
+ modperl: Fix memory leak in NV handling
+ modperl: Fix functions which return VCString (#1543)
+ modpython: Fix functions which return VCString (#1543)
+ webadmin: Fix fancy CTCP replies editor for Firefox. It was showing the plain version even when JS is enabled
* Internal
+ Deprecate one of the overloads of CMessage::GetParams(), rename it to CMessage::GetParamsColon()
+ Don't throw from destructor in the integration test
+ Fix a warning with integration test / gmake / znc-buildmod interaction.
- Drop upstream patches:
* znc-inject2.patch
* znc-inject.patch
* znc-traversal.patch
- Fix boo#1101280 CVE-2018-14056
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto added repo-checker as a reviewer
Please review build success
factory-auto accepted review
Check script succeeded
staging-bot added as a reviewer
Being evaluated by staging project "openSUSE:Factory:Staging:adi:55"
staging-bot accepted review
Picked openSUSE:Factory:Staging:adi:55
repo-checker accepted review
cycle and install check passed
dimstar accepted review
licensedigger accepted review
ok
dimstar_suse accepted review
ready to accept
dimstar_suse approved review
ready to accept
dimstar_suse accepted request
Accept to openSUSE:Factory
