Ubuntu
irssi package

Please merge the latest bug release, 1.0.7-1, from Debian

Bug #1754781 reported by Unit 193
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
irssi (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

While the version in Bionic contains the CVE fixes, it would be nice to ship the latest bugfix release in the 1.0.x series.

dget https://launchpad.net/~unit193/+archive/ubuntu/staging/+files/irssi_1.0.7-1ubuntu1.dsc

Source: irssi
Version: 1.0.7-1ubuntu1
Distribution: devel
Urgency: high
Maintainer: Unit 193 <email address hidden>
Timestamp: 1520636093
Date: Fri, 09 Mar 2018 17:54:53 -0500
Closes: 886475 890674 890675 890676 890677 890678
Changes:
 irssi (1.0.7-1ubuntu1) devel; urgency=medium
 .
   * Merge from Debian. Remaining changes:
     - Refresh and re-enabled 20fix_ssl_proxy_hostname_check.
       - When we have a proxy setting, we expect the CN to match
         the proxy hostname, not the server hostname.
     - d/p/90irc-ubuntu-com:
       + Add the Ubuntu network with irc.ubuntu.com as the server,
         which is currently a CNAME for chat.freenode.net.
     - d/p/03firsttimer_text:
       + Adapt 03firsttimer_text so it tells you about
         connecting to Ubuntu and joining #ubuntu.
   * Changes no longer needed:
     - d/p/CVE-2018-xxxx.patch: Applied upstream.
 .
 irssi (1.0.7-1) unstable; urgency=high
 .
   * New upstream bugfix release (closes: #886475):
     From 1.0.6:
     - Fix invalid memory access when reading hilight configuration
       (#787, #788).
     - Fix null pointer dereference when the channel topic is set
       without specifying a sender [CVE-2018-5206]
     - Fix return of random memory when using incomplete escape
       codes [CVE-2018-5205]
     - Fix heap buffer overflow when completing certain strings
       [CVE-2018-5208]
     - Fix return of random memory when using an incomplete
       variable argument [CVE-2018-5207]
 .
     From 1.0.7:
     - Prevent use after free error during the execution of some
       commands. Found by Joseph Bisch [CVE-2018-7054] (closes: #890674)
     - Revert netsplit print optimisation due to crashes
     - Fix use after free when SASL messages are received in
       unexpected order [CVE-2018-7053] (closes: #890675)
     - Fix null pointer dereference in the tab completion when an
       empty nick is joined [CVE-2018-7050] (closes: #890678)
     - Fix use after free when entering oper password
     - Fix null pointer dereference when too many windows are
       opened [CVE-2018-7052] (closes: #890676)
     - Fix out of bounds access in theme strings when the last
       escape is incomplete. Credit to Oss-Fuzz [CVE-2018-7051]
       (closes: #890677)
     - Fix out of bounds write when using negative counts on window
       resize
     - Minor help correction. By William Jackson
 .
   * Fix watch URL.
   * Bump to debhelper compat 11, remove autotools-dev Build-Depends.
   * Bump Standards-Version to 4.1.3.
   * Add lintian overrides for the spelling of "hilight" in the changelog
     mentioning the lintian overrides for the spelling of "hilight" in irssi
     itself.

Hans Joachim Desserud (hjd)
tags: added: needs-debian-merge upgrade-software-version
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

sponsored after changing "devel" to "cosmic" and adding this bug as reference in changelog

Changed in irssi (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.