CVE-2013-6404
Published: 9 December 2013
Quassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/.
Notes
Author | Note |
---|---|
mdeslaur | in precise, server component is in universe |
Priority
Status
Package | Release | Status |
---|---|---|
quassel Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Released
(0.8.0-0ubuntu1.1)
|
|
quantal |
Released
(0.8.0-0ubuntu2.1)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Released
(0.9.1-0ubuntu1.1)
|
|
upstream |
Released
(0.9.2-1)
|
|
Patches: upstream: https://github.com/quassel/quassel/commit/a1a24da |
||
Binaries built from this source package are in Universe and so are supported by the community. |