Bugzilla – Bug 928728
VUL-0: CVE-2015-3427: quassel: incomplete fix for CVE-2013-4422 sql injection due to reconnection behaviour
Last modified: 2015-05-24 15:05:44 UTC
Created attachment 632455 [details]
upstream commit 6605882f41331c80f7ac3a6992650a702ec71283
via oss-sec http://seclists.org/oss-sec/2015/q2/290
> It's been found that in Quassel, the CVE-2013-4422 was incorrectly
> fixed and that core was still vulnerable to SQL injection on reconnection.
> This has been fixed with commit:
> The incomplete bugfix had been released with Quassel 0.9.1:
No upstream lelease with the completed fix yet.
13.1, 13.2, Factory affected.
(In reply to Tomas Chvatal from bug 845511 comment #3)
> Hey, I am not the maintainer ;-)
Who is it? :-P Let the security team know if a bug is assigned to you that you don't want to or won't fix, or someone in CC can feel free to pick it up.
bugbot adjusting priority
CVE-2015-3427 assigned http://seclists.org/oss-sec/2015/q2/291
I set myself in the meantime as maintainer, so no worries. It was spelicke before, but he is no longer active in community it seems since he left SUSE.
I will fix this during the conference or after :)
Sec update sent to 13.1 and 13.2 and version bump sent to Factory.
This is an autogenerated message for OBS integration:
This bug (928728) was mentioned in
https://build.opensuse.org/request/show/305558 Factory / quassel
openSUSE-SU-2015:0933-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 928728
CVE References: CVE-2015-3427
openSUSE 13.2 (src): quassel-0.10.0-3.10.1
openSUSE 13.1 (src): quassel-0.9.2-22.1