CVE-2010-2448

Publication date 12 July 2010

Last updated 24 July 2024

Ubuntu priority

znc.cpp in ZNC before 0.092 allows remote authenticated users to cause a denial of service (crash) by requesting traffic statistics when there is an active unauthenticated connection, which triggers a NULL pointer dereference, as demonstrated using (1) a traffic link in the web administration pages or (2) the traffic command in the /znc shell.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
znc	12.10 quantal	Fixed 0.090-2
	12.04 LTS precise	Fixed 0.090-2
	11.10 oneiric	Fixed 0.090-2
	11.04 natty	Fixed 0.090-2
	10.10 maverick	Fixed 0.090-2
	10.04 LTS lucid	Fixed 0.078-1ubuntu0.1
	9.10 karmic	Ignored
	9.04 jaunty	Ignored
	8.04 LTS hardy	Ignored
	6.06 LTS dapper	Not in release

Notes

sbeattie

debian's CVE tracker for some reason references gitolite with this CVE; I think it's an editing mistake.

mdeslaur

this is actually a typo. CVE-2010-2488 is the actual CVE number.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
znc	Upstream: http://znc.svn.sourceforge.net/viewvc/znc/trunk/znc.cpp?r1=2025&r2=2026&pathrev=2026