Security update for znc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0203-1 Final 1 1 2024-07-17T12:06:08Z current 2024-07-17T12:06:08Z 2024-07-17T12:06:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for znc This update for znc fixes the following issues: Update to 1.9.1 (boo#1227393, CVE-2024-39844) * This is a security release to fix CVE-2024-39844: remote code execution vulnerability in modtcl. To mitigate this for existing installations, simply unload the modtcl module for every user, if it's loaded. Note that only users with admin rights can load modtcl at all. * Improve tooltips in webadmin. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-203 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7QQ7R7LSWLXD4TDRUDSD57JQTEXMFSMH/ E-Mail link for openSUSE-SU-2024:0203-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1227393 SUSE Bug 1227393 https://www.suse.com/security/cve/CVE-2024-39844/ SUSE CVE CVE-2024-39844 page SUSE Package Hub 15 SP6 openSUSE Leap 15.6 znc-1.9.1-bp156.2.3.1 znc-devel-1.9.1-bp156.2.3.1 znc-lang-1.9.1-bp156.2.3.1 znc-perl-1.9.1-bp156.2.3.1 znc-python3-1.9.1-bp156.2.3.1 znc-tcl-1.9.1-bp156.2.3.1 znc-1.9.1-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 znc-devel-1.9.1-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 znc-lang-1.9.1-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 znc-perl-1.9.1-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 znc-python3-1.9.1-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 znc-tcl-1.9.1-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 znc-1.9.1-bp156.2.3.1 as a component of openSUSE Leap 15.6 znc-devel-1.9.1-bp156.2.3.1 as a component of openSUSE Leap 15.6 znc-lang-1.9.1-bp156.2.3.1 as a component of openSUSE Leap 15.6 znc-perl-1.9.1-bp156.2.3.1 as a component of openSUSE Leap 15.6 znc-python3-1.9.1-bp156.2.3.1 as a component of openSUSE Leap 15.6 znc-tcl-1.9.1-bp156.2.3.1 as a component of openSUSE Leap 15.6 In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK. CVE-2024-39844 SUSE Package Hub 15 SP6:znc-1.9.1-bp156.2.3.1 SUSE Package Hub 15 SP6:znc-devel-1.9.1-bp156.2.3.1 SUSE Package Hub 15 SP6:znc-lang-1.9.1-bp156.2.3.1 SUSE Package Hub 15 SP6:znc-perl-1.9.1-bp156.2.3.1 SUSE Package Hub 15 SP6:znc-python3-1.9.1-bp156.2.3.1 SUSE Package Hub 15 SP6:znc-tcl-1.9.1-bp156.2.3.1 openSUSE Leap 15.6:znc-1.9.1-bp156.2.3.1 openSUSE Leap 15.6:znc-devel-1.9.1-bp156.2.3.1 openSUSE Leap 15.6:znc-lang-1.9.1-bp156.2.3.1 openSUSE Leap 15.6:znc-perl-1.9.1-bp156.2.3.1 openSUSE Leap 15.6:znc-python3-1.9.1-bp156.2.3.1 openSUSE Leap 15.6:znc-tcl-1.9.1-bp156.2.3.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7QQ7R7LSWLXD4TDRUDSD57JQTEXMFSMH/ https://www.suse.com/security/cve/CVE-2024-39844.html CVE-2024-39844 https://bugzilla.suse.com/1227393 SUSE Bug 1227393