CVE-2014-9403

Published: 19 December 2014

The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC before 1.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by adding a channel with the same name as an existing channel but without the leading # character, related to a "use-after-delete" error.

Priority

Status

Package	Release	Status
znc Launchpad, Ubuntu, Debian	artful	Not vulnerable
	bionic	Not vulnerable
	lucid	Ignored (end of life)
	precise	Ignored (end of life)
	trusty	Released (1.2-3ubuntu0.1)
	upstream	Released (1.2-4)
	utopic	Not vulnerable (1.4-1build1)
	vivid	Not vulnerable
	wily	Not vulnerable
	xenial	Not vulnerable
	yakkety	Not vulnerable
	zesty	Not vulnerable

References

https://github.com/znc/znc/issues/528
https://github.com/znc/znc/commit/8756be513ab6663dcd64087006b257ff34e8e487
http://www.openwall.com/lists/oss-security/2014/12/17
https://www.cve.org/CVERecord?id=CVE-2014-9403
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744712

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›