ZNC: Remote Code Execution — GLSA 202409-23

A vulnerability has been found in ZNC which could result in remote code execution.

Affected packages

net-irc/znc on all architectures
Affected versions < 1.9.1
Unaffected versions >= 1.9.1

Background

ZNC is an advanced IRC bouncer.

Description

ZNC's modtcl could allow for remote code execution via a KICK.

Impact

A vulnerable ZNC with the modtcl module loaded could be exploited for remote code execution.

Workaround

Unload the mod_tcl module.

Resolution

All ZNC users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-irc/znc-1.9.1"
 

References

Release date
September 24, 2024

Latest revision
September 24, 2024: 1

Severity
normal

Exploitable
remote

Bugzilla entries