known ssld crash

it is unclear to me from the changelog the relation with this specific issue. it doesn't mention any ssl-specific crash and i can't correlate the description with the changelog.

it seems to me that if this was public in the charybdis community, it should be made public here too. furthermore, a CVE should be assigned so that other entities (e.g. Debian) can also track this issue effectively.

it seems that the NEWS file is a little better, but still unclear. has this been clarified upstream?

https://github.com/charybdis-ircd/charybdis/blob/release/3.5/NEWS.md

https://github.com/charybdis-ircd/charybdis-ircd.github.io/blob/master/_posts/2016-04-02-charybdis-3.5.1-release.md

My mistake. I pasted the wrong release. It's covered on the release notes as well but the details weren't as specific: http://charybdis.io/2016/04/02/charybdis-3.5.1-release.html

It is a known issue and I have the package you maintain running on a private server at the moment and it had been configured to only use SSL connections. When I asked on freenode the answer was direct about the fix which was made to correct the issue.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

ssld does crash on *all* servers currently running this version of charybdis which makes it insecure and remotely crashable. This issue should be handled by the maintainer and Ubuntu Security.

I'd suggest either removing this package or finding someone to update it. I won't be involved any further than I have in reporting the error.

Also, stating that this report is incomplete when you have the statement from IRC by the software maintainer that updated and patched the fix stating that it was a known bug that had been patched.

This is a confirmed bug.

i have packaged 3.5.2 in debian sid, and it should hit testing/backports soon. i had problems running 3.5.0 in production, as ssld would indeed crash. i filed this issue upstream to discuss the bug and they promptly fixed it:

https://github.com/charybdis-ircd/charybdis/issues/210

the patch is in the debian package and should be shipped with 3.5.3 soonish.

is this the same issue you have seen?

is 3.4 vulnerable to the issue you are describing? i haven't suffered from the problems you described in the wild on the 3.4 branch...

This seems to be fixed in yakkety, but the crash still exists in xenial -- any chance that this patch could be applied there too?

It's trivial to exploit -- anyone with access to open TCP connections to a charybdis 3.5.0 SSL server can crash the ssld.

i am not an ubuntu maintainer, i only take care of the debian side of things - you'll have to find some Ubuntu person to followup here...