CVE-2024-39844

NameCVE-2024-39844
DescriptionIn ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5725-1
Debian Bugs1075729

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
znc (PTS)bullseye1.8.2-2vulnerable
bullseye (security)1.8.2-2+deb11u1fixed
bookworm1.8.2-3.1vulnerable
bookworm (security)1.8.2-3.1+deb12u1fixed
sid, trixie1.9.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zncsourcebullseye1.8.2-2+deb11u1DSA-5725-1
zncsourcebookworm1.8.2-3.1+deb12u1DSA-5725-1
zncsource(unstable)1.9.1-11075729

Notes

Fixed by: https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e (znc-1.9.1)
Search for package or bug name: Reporting problems