[Bug 1754781] [NEW] Please merge the latest bug release, 1.0.7-1, from Debian

Launchpad Bug Tracker 1754781 at bugs.launchpad.net
Fri Mar 9 23:21:13 UTC 2018 

You have been subscribed to a public bug by Unit 193 (unit193):

While the version in Bionic contains the CVE fixes, it would be nice to
ship the latest bugfix release in the 1.0.x series.

dget
https://launchpad.net/~unit193/+archive/ubuntu/staging/+files/irssi_1.0.7-1ubuntu1.dsc

Source: irssi
Version: 1.0.7-1ubuntu1
Distribution: devel
Urgency: high
Maintainer: Unit 193 <unit193 at ubuntu.com>
Timestamp: 1520636093
Date: Fri, 09 Mar 2018 17:54:53 -0500
Closes: 886475 890674 890675 890676 890677 890678
Changes:
 irssi (1.0.7-1ubuntu1) devel; urgency=medium
 .
   * Merge from Debian. Remaining changes:
     - Refresh and re-enabled 20fix_ssl_proxy_hostname_check.
       - When we have a proxy setting, we expect the CN to match
         the proxy hostname, not the server hostname.
     - d/p/90irc-ubuntu-com: 
       + Add the Ubuntu network with irc.ubuntu.com as the server,
         which is currently a CNAME for chat.freenode.net.
     - d/p/03firsttimer_text:
       + Adapt 03firsttimer_text so it tells you about
         connecting to Ubuntu and joining #ubuntu.
   * Changes no longer needed:
     - d/p/CVE-2018-xxxx.patch: Applied upstream.
 .
 irssi (1.0.7-1) unstable; urgency=high
 .
   * New upstream bugfix release (closes: #886475):
     From 1.0.6:
     - Fix invalid memory access when reading hilight configuration
       (#787, #788).
     - Fix null pointer dereference when the channel topic is set
       without specifying a sender [CVE-2018-5206]
     - Fix return of random memory when using incomplete escape
       codes [CVE-2018-5205]
     - Fix heap buffer overflow when completing certain strings
       [CVE-2018-5208]
     - Fix return of random memory when using an incomplete
       variable argument [CVE-2018-5207]
 .
     From 1.0.7:
     - Prevent use after free error during the execution of some
       commands. Found by Joseph Bisch [CVE-2018-7054] (closes: #890674)
     - Revert netsplit print optimisation due to crashes
     - Fix use after free when SASL messages are received in
       unexpected order [CVE-2018-7053] (closes: #890675)
     - Fix null pointer dereference in the tab completion when an
       empty nick is joined [CVE-2018-7050] (closes: #890678)
     - Fix use after free when entering oper password
     - Fix null pointer dereference when too many windows are
       opened [CVE-2018-7052] (closes: #890676)
     - Fix out of bounds access in theme strings when the last
       escape is incomplete. Credit to Oss-Fuzz [CVE-2018-7051]
       (closes: #890677)
     - Fix out of bounds write when using negative counts on window
       resize
     - Minor help correction. By William Jackson
 .
   * Fix watch URL.
   * Bump to debhelper compat 11, remove autotools-dev Build-Depends.
   * Bump Standards-Version to 4.1.3.
   * Add lintian overrides for the spelling of "hilight" in the changelog
     mentioning the lintian overrides for the spelling of "hilight" in irssi
     itself.

** Affects: irssi (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Please merge the latest bug release, 1.0.7-1, from Debian
https://bugs.launchpad.net/bugs/1754781
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list