Debian Security Advisory
DLA-1427-1 znc -- LTS security update
- Date Reported:
- 15 Jul 2018
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2018-14055, CVE-2018-14056.
- More information:
It was discovered that there were two issues in znc, a modular IRC bouncer:
- There was insufficient validation of lines coming from the network allowing a non-admin user to escalate his privilege and inject rogue values into znc.conf. (CVE-2018-14055)
- A path traversal vulnerability (via "../" being embedded in a web skin name) to access files outside of the allowed directory. (CVE-2018-14056)
For Debian 8
Jessie, these issues have been fixed in znc version 1.4-2+deb8u1.
We recommend that you upgrade your znc packages.