-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2010.0373
         A number of vulnerabilities have been identified in irssi
                               16 April 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           irssi
Publisher:         Ubuntu
Operating System:  Ubuntu
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Unauthorised Access            -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
                   Denial of Service              -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-1156 CVE-2010-1155 

Original Bulletin: 
   http://www.ubuntu.com/usn/USN-929-1

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Ubuntu. It is recommended that administrators 
         running irssi check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

===========================================================
Ubuntu Security Notice USN-929-1             April 16, 2010
irssi vulnerabilities
CVE-2010-1155, CVE-2010-1156
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  irssi                           0.8.12-3ubuntu3.2

Ubuntu 8.10:
  irssi                           0.8.12-4ubuntu2.2

Ubuntu 9.04:
  irssi                           0.8.12-6ubuntu1.2

Ubuntu 9.10:
  irssi                           0.8.14-1ubuntu1.1

After a standard system upgrade you need to restart irssi to effect the
necessary changes.

Details follow:

It was discovered that irssi did not perform certificate host validation
when using SSL connections. An attacker could exploit this to perform a man
in the middle attack to view sensitive information or alter encrypted
communications. (CVE-2010-1155)

Aurelien Delaitre discovered that irssi could be made to dereference a NULL
pointer when a user left the channel. A remote attacker could cause a
denial of service via application crash. (CVE-2010-1156)

This update also adds SSLv3 and TLSv1 support, while disabling the old,
insecure SSLv2 protocol.


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-3ubuntu3.2.diff.gz
      Size/MD5:    28157 9e57c160ead8a8f142d1f5a43832bffc
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-3ubuntu3.2.dsc
      Size/MD5:      997 9f0486989f51939747bb1ebb06954a27
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12.orig.tar.gz
      Size/MD5:  1335967 ddf717a430e1c13a272f528c4f529430

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi-dev_0.8.12-3ubuntu3.2_amd64.deb
      Size/MD5:   271404 2664da06403587d736c64f3898c79051
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-3ubuntu3.2_amd64.deb
      Size/MD5:  1161962 11312c219e59952d0206a1ed7d8553e9

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi-dev_0.8.12-3ubuntu3.2_i386.deb
      Size/MD5:   271416 0b59bc801928039d1d29c91b2782c8e9
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-3ubuntu3.2_i386.deb
      Size/MD5:  1078574 671dde03e0b04451ff3a892aa9a5cf6f

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.12-3ubuntu3.2_lpia.deb
      Size/MD5:   271406 54901decae93ac7e52dbbb15b5fc0f33
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.12-3ubuntu3.2_lpia.deb
      Size/MD5:  1072996 dd328dcfa7d15e9b53f7597aae3ea10e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.12-3ubuntu3.2_powerpc.deb
      Size/MD5:   271442 fee46f9950eda248f0fe8c7e3790275b
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.12-3ubuntu3.2_powerpc.deb
      Size/MD5:  1167876 54e4578993515f2b51d885164d28103a

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.12-3ubuntu3.2_sparc.deb
      Size/MD5:   271448 915ace3ae584bcde4a22860aef20a929
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.12-3ubuntu3.2_sparc.deb
      Size/MD5:  1103464 ebf0a5d0f88876642df1d54199c00cb2

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-4ubuntu2.2.diff.gz
      Size/MD5:    22949 05b1027b8cbc7893794a86a1ce3c9477
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-4ubuntu2.2.dsc
      Size/MD5:     1391 c447723cf0848e4494b966a88a07ed6d
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12.orig.tar.gz
      Size/MD5:  1335967 ddf717a430e1c13a272f528c4f529430

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi-dev_0.8.12-4ubuntu2.2_amd64.deb
      Size/MD5:   272438 5fe32ea72f73f8e69f0738632fb97a66
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-4ubuntu2.2_amd64.deb
      Size/MD5:  1167370 0274792126c82c923b446104a0786a99

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi-dev_0.8.12-4ubuntu2.2_i386.deb
      Size/MD5:   272432 136f63c9c9f91e785d9e1b7bdbda0252
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-4ubuntu2.2_i386.deb
      Size/MD5:  1084792 bc52dd214d16cefe050848baf968d7a5

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.12-4ubuntu2.2_lpia.deb
      Size/MD5:   272426 77755898ad90b14c5b152ac8dfa5010f
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.12-4ubuntu2.2_lpia.deb
      Size/MD5:  1075496 459ef8280bde35183d0e21d78d6a4606

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.12-4ubuntu2.2_powerpc.deb
      Size/MD5:   272444 5cf2f918096e94c73a89d27caccdb15a
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.12-4ubuntu2.2_powerpc.deb
      Size/MD5:  1165512 cf6f51526b9c12e76f8d55c28b55b696

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.12-4ubuntu2.2_sparc.deb
      Size/MD5:   272446 5717f7fbb9834883b20a445d044fd60b
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.12-4ubuntu2.2_sparc.deb
      Size/MD5:  1098222 8edff97bb03c513aa1d301454d63caaa

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-6ubuntu1.2.diff.gz
      Size/MD5:    24807 caae22ec37b9db5ade9c4b23215f6b82
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-6ubuntu1.2.dsc
      Size/MD5:     1391 960eaacca58feaaa6291c03f4faa8848
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12.orig.tar.gz
      Size/MD5:  1335967 ddf717a430e1c13a272f528c4f529430

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi-dev_0.8.12-6ubuntu1.2_amd64.deb
      Size/MD5:   272834 6206f3ed4d7a95f4e6a78fb2dd71b742
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-6ubuntu1.2_amd64.deb
      Size/MD5:  1168224 ec603d2e45db6232b9c70c0425175a63

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi-dev_0.8.12-6ubuntu1.2_i386.deb
      Size/MD5:   272838 84a9b57d67e73e0f5153c417195b5895
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.12-6ubuntu1.2_i386.deb
      Size/MD5:  1085950 eb89e6913556df69492d55e6e85d650a

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.12-6ubuntu1.2_lpia.deb
      Size/MD5:   272822 ae2a9f697f3c05f6c8ec68eeff0fa1d1
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.12-6ubuntu1.2_lpia.deb
      Size/MD5:  1076648 c77d2166f9e67bbbed1ff1dac0bf840a

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.12-6ubuntu1.2_powerpc.deb
      Size/MD5:   272846 6a9798a074b66a3da167005c1b33ba9c
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.12-6ubuntu1.2_powerpc.deb
      Size/MD5:  1166560 5a7ed4e30436205b92696d40bd2cbe4c

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.12-6ubuntu1.2_sparc.deb
      Size/MD5:   272840 d3e2191b24c540c374615be95ce950ee
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.12-6ubuntu1.2_sparc.deb
      Size/MD5:  1098618 7978ca96b1a957bb4cef7d816b56950f

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.14-1ubuntu1.1.diff.gz
      Size/MD5:    21546 f4a8783034ccf63328c297664a47d3b3
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.14-1ubuntu1.1.dsc
      Size/MD5:     1391 7845487e0d0a1a5b186e626afd235ee3
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.14.orig.tar.gz
      Size/MD5:  1356130 7d9437f53209a61af4fe4c9c5528ffa7

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi-dev_0.8.14-1ubuntu1.1_amd64.deb
      Size/MD5:   292894 126864465b69816317fe43fe09b2ada6
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.14-1ubuntu1.1_amd64.deb
      Size/MD5:  1171216 e6b17e846b9abe48a80db10014d4186f

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi-dev_0.8.14-1ubuntu1.1_i386.deb
      Size/MD5:   292922 362c22be48ab7bc8297f8c82e95ccb39
    http://security.ubuntu.com/ubuntu/pool/main/i/irssi/irssi_0.8.14-1ubuntu1.1_i386.deb
      Size/MD5:  1090006 992162b6d1b43ab6eb593bed99df191d

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.14-1ubuntu1.1_lpia.deb
      Size/MD5:   292906 f1317ff5f2ad9218fb837fff0b7f33be
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.14-1ubuntu1.1_lpia.deb
      Size/MD5:  1087934 1e1722ca6efaf3d2da61ecf2bc0a048c

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.14-1ubuntu1.1_powerpc.deb
      Size/MD5:   292926 65f49b5e355f8412b97cc0bd727f6a42
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.14-1ubuntu1.1_powerpc.deb
      Size/MD5:  1154230 d38cee976915374aa583b38d429ee7e5

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/i/irssi/irssi-dev_0.8.14-1ubuntu1.1_sparc.deb
      Size/MD5:   292932 dcd75d80b3f2f33b3ad1a2462e7c674b
    http://ports.ubuntu.com/pool/main/i/irssi/irssi_0.8.14-1ubuntu1.1_sparc.deb
      Size/MD5:  1098308 16a61331376a050d5c5882846399b3d1

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLx9A//iFOrG6YcBERAtx3AKDGQR6KfiaNjKSo7ZJykwxhjFUO4QCggthE
4/1h+uFadSfh125c9+IgVCI=
=t4sk
-----END PGP SIGNATURE-----