Mandriva Linux Security Advisory : irssi (MDVSA-2010:079)

This script is Copyright (C) 2010-2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Multiple vulnerabilities has been found and corrected in irssi :

Irssi before 0.8.15, when SSL is used, does not verify that the server
hostname matches a domain name in the subject's Common Name (CN) field
or a Subject Alternative Name field of the X.509 certificate, which
allows man-in-the-middle attackers to spoof IRC servers via an
arbitrary certificate (CVE-2010-1155).

core/nicklist.c in Irssi before 0.8.15 allows remote attackers to
cause a denial of service (NULL pointer dereference and application
crash) via vectors related to an attempted fuzzy nick match at the
instant that a victim leaves a channel (CVE-2010-1156).

Additionally the updated packages disables the SSLv2 protocol and
enables the SSLv3 and TLSv1 protocols for added security.

The updated packages have been patched to correct these issues.

Solution :

Update the affected irssi, irssi-devel and / or irssi-perl packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 48180 (mandriva_MDVSA-2010-079.nasl)

Bugtraq ID:

CVE ID: CVE-2010-1155
CVE-2010-1156

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now