Slackware Linux update for irssi
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-10965 CVE-2017-10966 |
| CWE-ID | CWE-476 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Slackware Linux Operating systems & Components / Operating system |
| Vendor | Slackware |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) NULL pointer dereference
EUVDB-ID: #VU7400
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-10965
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference error when parsing messages with invalid time stamps in Irssi. A remote attacker can send a specially crafted message and crash the affected server.
Update the affected package irssi.
Vulnerable software versionsSlackware Linux: 14.0 - 14.2
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.0:*:*:*:*:*:*:*
- cpe:2.3:o:slackware:slackware_linux:14.1:*:*:*:*:*:*:*
- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU7401
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-10966
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when incorrectly using GHashTable interface while updating internal nick list. A remote unauthenticated attacker can create a specially crafted nick name and crash the affected server or execute arbitrary code.
Successful exploitation of the vulnerability may result in remote code execution.
Update the affected package irssi.
Vulnerable software versionsSlackware Linux: 14.0 - 14.2
CPE2.3- cpe:2.3:o:slackware:slackware_linux:14.0:*:*:*:*:*:*:*
- cpe:2.3:o:slackware:slackware_linux:14.1:*:*:*:*:*:*:*
- cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
