[Bug 1754781] Re: Please merge the latest bug release, 1.0.7-1, from Debian

LocutusOfBorg costamagnagianfranco at yahoo.it
Wed May 9 07:33:03 UTC 2018 

sponsored after changing "devel" to "cosmic" and adding this bug as
reference in changelog

** Changed in: irssi (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1754781

Title:
  Please merge the latest bug release, 1.0.7-1, from Debian

Status in irssi package in Ubuntu:
  Fix Released

Bug description:
  While the version in Bionic contains the CVE fixes, it would be nice
  to ship the latest bugfix release in the 1.0.x series.

  dget
  https://launchpad.net/~unit193/+archive/ubuntu/staging/+files/irssi_1.0.7-1ubuntu1.dsc

  Source: irssi
  Version: 1.0.7-1ubuntu1
  Distribution: devel
  Urgency: high
  Maintainer: Unit 193 <unit193 at ubuntu.com>
  Timestamp: 1520636093
  Date: Fri, 09 Mar 2018 17:54:53 -0500
  Closes: 886475 890674 890675 890676 890677 890678
  Changes:
   irssi (1.0.7-1ubuntu1) devel; urgency=medium
   .
     * Merge from Debian. Remaining changes:
       - Refresh and re-enabled 20fix_ssl_proxy_hostname_check.
         - When we have a proxy setting, we expect the CN to match
           the proxy hostname, not the server hostname.
       - d/p/90irc-ubuntu-com: 
         + Add the Ubuntu network with irc.ubuntu.com as the server,
           which is currently a CNAME for chat.freenode.net.
       - d/p/03firsttimer_text:
         + Adapt 03firsttimer_text so it tells you about
           connecting to Ubuntu and joining #ubuntu.
     * Changes no longer needed:
       - d/p/CVE-2018-xxxx.patch: Applied upstream.
   .
   irssi (1.0.7-1) unstable; urgency=high
   .
     * New upstream bugfix release (closes: #886475):
       From 1.0.6:
       - Fix invalid memory access when reading hilight configuration
         (#787, #788).
       - Fix null pointer dereference when the channel topic is set
         without specifying a sender [CVE-2018-5206]
       - Fix return of random memory when using incomplete escape
         codes [CVE-2018-5205]
       - Fix heap buffer overflow when completing certain strings
         [CVE-2018-5208]
       - Fix return of random memory when using an incomplete
         variable argument [CVE-2018-5207]
   .
       From 1.0.7:
       - Prevent use after free error during the execution of some
         commands. Found by Joseph Bisch [CVE-2018-7054] (closes: #890674)
       - Revert netsplit print optimisation due to crashes
       - Fix use after free when SASL messages are received in
         unexpected order [CVE-2018-7053] (closes: #890675)
       - Fix null pointer dereference in the tab completion when an
         empty nick is joined [CVE-2018-7050] (closes: #890678)
       - Fix use after free when entering oper password
       - Fix null pointer dereference when too many windows are
         opened [CVE-2018-7052] (closes: #890676)
       - Fix out of bounds access in theme strings when the last
         escape is incomplete. Credit to Oss-Fuzz [CVE-2018-7051]
         (closes: #890677)
       - Fix out of bounds write when using negative counts on window
         resize
       - Minor help correction. By William Jackson
   .
     * Fix watch URL.
     * Bump to debhelper compat 11, remove autotools-dev Build-Depends.
     * Bump Standards-Version to 4.1.3.
     * Add lintian overrides for the spelling of "hilight" in the changelog
       mentioning the lintian overrides for the spelling of "hilight" in irssi
       itself.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/irssi/+bug/1754781/+subscriptions

More information about the Ubuntu-sponsors mailing list