Arch Linux Security Advisory ASA-201605-5 ========================================= Severity: Medium Date : 2016-05-05 CVE-ID : CVE-2016-4414 Package : quassel-core Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package quassel-core before version 0.12.4-1 is vulnerable to denial of service attack by unauthenticated clients. Resolution ========== Upgrade to 0.12.4-1. # pacman -Syu "quassel-core>=0.12.4-1" The problem has been fixed upstream in version 0.12.4. Workaround ========== None. Description =========== - CVE-2016-4414 (denial of service) It was found that quasselcore is vulnerable to a denial of service attack by unauthenticated clients. The protocol negotiation did not take into account lack of a match, in which case PeerFactory::createPeer returns a nullptr, which is immediately dereferenced. Impact ====== A remote attacker is able to crash the quassel-core with an unauthenticated client. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4414 https://marc.info/?l=oss-security&m=146204310020229&w=2 https://github.com/quassel/quassel/commit/e67887343c433cc35bc26ad6a9392588f4...