CVE-2010-2448

Publication date 12 July 2010

Last updated 24 July 2024

Ubuntu priority

znc.cpp in ZNC before 0.092 allows remote authenticated users to cause a denial of service (crash) by requesting traffic statistics when there is an active unauthenticated connection, which triggers a NULL pointer dereference, as demonstrated using (1) a traffic link in the web administration pages or (2) the traffic command in the /znc shell.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
znc	12.10 quantal	Fixed 0.090-2
	12.04 LTS precise	Fixed 0.090-2
	11.10 oneiric	Fixed 0.090-2
	11.04 natty	Fixed 0.090-2
	10.10 maverick	Fixed 0.090-2
	10.04 LTS lucid	Fixed 0.078-1ubuntu0.1
	9.10 karmic	Ignored end of life
	9.04 jaunty	Ignored end of life
	8.04 LTS hardy	Ignored end of life
	6.06 LTS dapper	Not in release

Notes

sbeattie

debian’s CVE tracker for some reason references gitolite with this CVE; I think it’s an editing mistake.

mdeslaur

this is actually a typo. CVE-2010-2488 is the actual CVE number.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
znc	Upstream: http://znc.svn.sourceforge.net/viewvc/znc/trunk/znc.cpp?r1=2025&r2=2026&pathrev=2026