- Update to version 1.7.1:
  * Security critical fixes[edit]
    + CVE-2018-14055: non-admin user could gain admin privileges and shell access by injecting values into znc.conf.
    + CVE-2018-14056: path traversal in HTTP handler via ../ in a web skin name.
  * Core
    + Fix znc-buildmod to not hardcode the compiler used to build ZNC anymore in CMake build (#1536)
    + Fix language selector. Russian and German were both not selectable.
    + Fix build without SSL support (#1554)
    + Fix several broken strings
    + Stop spamming users about debug mode. This feature was added in 1.7.0, now reverted. (#1541)
  * New
    + Add partial Spanish, Indonesian, and Dutch translations
  * Modules
    + adminlog: Log the error message again (regression of 1.7.0) (#1557)
    + admindebug: New module, which allows admins to turn on/off --debug in runtime (#1556)
    + flooddetach: Fix description of commands (#1548)
    + modperl: Fix memory leak in NV handling
    + modperl: Fix functions which return VCString (#1543)
    + modpython: Fix functions which return VCString (#1543)
    + webadmin: Fix fancy CTCP replies editor for Firefox. It was showing the plain version even when JS is enabled
  * Internal
    + Deprecate one of the overloads of CMessage::GetParams(), rename it to CMessage::GetParamsColon()
    + Don't throw from destructor in the integration test
    + Fix a warning with integration test / gmake / znc-buildmod interaction.
- Drop upstream patches:
  * znc-inject2.patch
  * znc-inject.patch
  * znc-traversal.patch

- Fix boo#1101280 CVE-2018-14056

• Files Changed
• Browse Source