Urgent security update released for Quassel
usrbingeek | Nov 19, 2008 | 0 comments
An error in CTCP handling has been discovered in the Quassel IRC client that allows attackers to send IRC messages as you.
All Quassel users are encouraged to update their client immediately.
Well, looks like 0.3.0.2 was not the last 0.3.0 release after all. coekie found an issue with CTCP handling in Quassel Core that allows attackers to send arbitrary IRC messages on your behalf. This issue is present in all versions prior to 0.3.0.3 and Git older than October 26th (rev. d7a0381).
This has been fixed in the quassel-0.3.0.3 release and also in Git and the nightly builds. Gentoo and *buntu already ship the new version, with more distributions hopefully following ASAP. If you still use a 0.2-rc1 core, please consider updating to 0.3.x as soon as possible. Note that we provide unstable, but fixed packages for Debian now, thanks to dileX.
Note that this affects (only) the core, so you’ll need to update and restart your core. Clients are not affected. Also, this exploit can not be used to affect anything on your system, including your local account, as it is purely IRC related.
This has been fixed in the quassel-0.3.0.3 release and also in Git and the nightly builds. Gentoo and *buntu already ship the new version, with more distributions hopefully following ASAP. If you still use a 0.2-rc1 core, please consider updating to 0.3.x as soon as possible. Note that we provide unstable, but fixed packages for Debian now, thanks to dileX.
Note that this affects (only) the core, so you’ll need to update and restart your core. Clients are not affected. Also, this exploit can not be used to affect anything on your system, including your local account, as it is purely IRC related.
[Quassel Urgent: Security Upgrade!]
Filed Under: IRC News
