zen-parse discovered a problem in versions 1.4.2 and 1.4.3 of xchat
that could allow a malicious user to send commands to the IRC server
they are on which would take advantage of the CTCP PING reply handler
in xchat. This could be used for denial of service, channel takeovers,
and other similar attacks. The problem exists in 1.6 and 1.8 versions,
however it is controlled by the "percascii" variable which defaults to
0. It "percascii" is set to 1, the problem is exploitable. This
vulnerability has been fixed upstream in version 1.8.7.
27fa0b00644a3d6ebb11b668bf6f1e8e 7.1/RPMS/xchat-1.8.7-1.3mdk.i586.rpm e65886af7b35ddc185e14df38213c8c4 7.1/SRPMS/xchat-1.8.7-1.3mdk.src.rpm
c014496faa8a5889a00b545612bc66de 7.2/RPMS/xchat-1.8.7-1.2mdk.i586.rpm c7a219059a88152e634b9cb36a1cee0f 7.2/SRPMS/xchat-1.8.7-1.2mdk.src.rpm
54e0b792297002e075a775ff66b47184 8.0/RPMS/xchat-1.8.7-1.1mdk.i586.rpm 6a55c811c3795de0f38c4f3e946edecf 8.0/SRPMS/xchat-1.8.7-1.1mdk.src.rpm
0fb9eb64dc80e07e8ddb25bad8adb8fc ppc/8.0/RPMS/xchat-1.8.7-1.1mdk.ppc.rpm 6a55c811c3795de0f38c4f3e946edecf ppc/8.0/SRPMS/xchat-1.8.7-1.1mdk.src.rpm
d9c2e6756586964aceceb3b23fd0bb38 8.1/RPMS/xchat-1.8.7-1.1mdk.i586.rpm 6a55c811c3795de0f38c4f3e946edecf 8.1/SRPMS/xchat-1.8.7-1.1mdk.src.rpm
b96628062c40d86765ef77fa051fcb86 ia64/8.1/RPMS/xchat-1.8.7-1.1mdk.ia64.rpm 6a55c811c3795de0f38c4f3e946edecf ia64/8.1/SRPMS/xchat-1.8.7-1.1mdk.src.rpm
Corporate Server 1.0.1
27fa0b00644a3d6ebb11b668bf6f1e8e 1.0.1/RPMS/xchat-1.8.7-1.3mdk.i586.rpm e65886af7b35ddc185e14df38213c8c4 1.0.1/SRPMS/xchat-1.8.7-1.3mdk.src.rpm
To upgrade automatically, use MandrivaUpdate.
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.