Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when SASL is enabled, has a use after free when sending SASL login to the server.

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2020:1616 advisory.

  - Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when SASL is enabled, has a use after free     when sending SASL login to the server. (CVE-2019-13045)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2020-1616 advisory.

  - Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when SASL is enabled, has a use after free     when sending SASL login to the server. (CVE-2019-13045)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-3025 advisory.

  - Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when SASL is enabled, has a use after free     when sending SASL login to the server. (CVE-2019-13045)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2020:1616 advisory.

  - Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when SASL is enabled, has a use after free     when sending SASL login to the server. (CVE-2019-13045)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2020:1616 advisory.

  - irssi: use after free when sending SASL login to server (CVE-2019-13045)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1616 advisory.

  - irssi: use after free when sending SASL login to server (CVE-2019-13045)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the version of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x     before 1.2.1, when SASL is enabled, has a use after     free when sending SASL login to the     server.(CVE-2019-13045)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that Irssi incorrectly handled certain disconnections. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-7054)

It was discovered that Irssi incorrectly handled certain requests. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2019-13045).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for irssi fixes the following issues :

irssi was updated to 1.1.3 :

  - CVE-2019-13045: Fix a use after free issue when sending     the SASL login on (automatic and manual) reconnects     (#1055, #1058) (boo#1139802)

  - Fix regression of #779 where autolog_ignore_targets     would not matching itemless windows anymore (#1012,     #1013)

Irssi reports :

Use after free when sending SASL login to the server found by ilbelkyr. (CWE-416, CWE-825)

New irssi packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix a security issue.

ID	Name	Product	Family	Severity
184555	Rocky Linux 8 : irssi (RLSA-2020:1616)	Nessus	Rocky Linux Local Security Checks	high
180940	Oracle Linux 8 : irssi (ELSA-2020-1616)	Nessus	Oracle Linux Local Security Checks	high
161618	Debian DLA-3025-1 : irssi - LTS security update	Nessus	Debian Local Security Checks	high
157501	AlmaLinux 8 : irssi (ALSA-2020:1616)	Nessus	Alma Linux Local Security Checks	high
146034	CentOS 8 : irssi (CESA-2020:1616)	Nessus	CentOS Local Security Checks	high
143037	RHEL 8 : irssi (RHSA-2020:1616)	Nessus	Red Hat Local Security Checks	high
139960	EulerOS 2.0 SP8 : irssi (EulerOS-SA-2020-1857)	Nessus	Huawei Local Security Checks	high
126504	Ubuntu 16.04 LTS / 18.04 LTS : Irssi vulnerabilities (USN-4046-1)	Nessus	Ubuntu Local Security Checks	critical
126491	openSUSE Security Update : irssi (openSUSE-2019-1690)	Nessus	SuSE Local Security Checks	high
126413	FreeBSD : irssi -- Use after free when sending SASL login to the server (475f952c-9b29-11e9-a8a5-6805ca0b38e8)	Nessus	FreeBSD Local Security Checks	high
126367	Slackware 14.0 / 14.1 / 14.2 / current : irssi (SSA:2019-180-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2019-13045

high

Tenable Plugins

high

high

high

high

high

high

high

critical

high

high

high