Ubuntu
inspircd package

[MIR] inspircd

Bug #1459689 reported by LaMont Jones
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
inspircd (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

After careful review of https://wiki.ubuntu.com/UbuntuMainInclusionRequirements, I believe that inspircd should be included in main. Our evaluation of IRC daemons led us to inspircd as the only one that met our needs (open source, ldap integration, without a history of upstream releases having security issues in the tarball).

Package: inspircd

Availability:
Present in a useful form as of wily.

Rationale:
We currently have no IRC daemon in main. This package represents the
best available IRC daemon for largescale deployment.

Security:
The only recent CVE is one that was found in 2.0.5 (trusty's version),
which was addressed in 2.0.6, and incorrectly patched in Debian. 2.0.17
and later appear to be well (and actively) maintained.

QA:
I am not recommending that this be installed by default. The package
documentation makes configuring it relatively straight forward.

Issue tracking:
https://bugs.debian.org/inspircd
https://bugs.launchpad.net/ubuntu/+source/inspircd
https://github.com/inspircd/inspircd/issues

Dependencies: all in main other than tre, which appears to be very
stable, and could likely be pulled into main as well.

Standards: meets standards

Maintenance: Debian IRC Team <email address hidden>

Background information:

Historically, we have used UnrealIRCd, which has a relatively poor
security track record. After evaluation of alternatives, we determined
that inspircd was the best candidate for our irc needs, with anope
providing services.

Security history:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=inspircd
CVE-2008-1925: Timely fix.
CVE-2012-1836: Timely fix, though the backport of the fix to debian's
               2.0.5 package apparently had issues, which were solved
               with a subsequent upload of the upstream package.

http://secunia.com/advisories/search/?search=inspircd
6 records found, mostly from 2012 and earlier, one from 2015-04-17

http://people.canonical.com/~ubuntu-security/cve/universe.html
no entries

Security relevant binaries:
No setuid/setgid binaries
Delivers binaries in /usr/sbin, and starts services.
An apparmor profile has been written, and a bug requesting inclusion
submitted.
No privileged ports are used.

Revision history for this message
Michael Terry (mterry) wrote :

But why do we need it in main? You're not asking for it to be seeded.

Revision history for this message
James Troup (elmo) wrote : Re: [Bug 1459689] Re: [MIR] inspircd

Michael Terry <email address hidden> writes:

> But why do we need it in main?

So it gets security updates by the security team?

--
James

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in inspircd (Ubuntu):
status: New → Confirmed
Michael Terry (mterry)
Changed in inspircd (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Tyler Hicks (tyhicks)
Changed in inspircd (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Emily Ratliff (emilyr) wrote :

Per discussion with James Troup, this MIR is no longer needed.

Changed in inspircd (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.