RHEL 2.1 : xchat (RHSA-2002:124)

high Nessus Plugin ID 12303

Synopsis

The remote Red Hat host is missing a security update.

Description

A security issue in XChat allows a malicious server to execute arbitrary commands.

XChat is a popular cross-platform IRC client.

Versions of XChat prior to 1.8.9 do not filter the response from an IRC server when a /dns query is executed. Because XChat resolves hostnames by passing the configured resolver and hostname to a shell, an IRC server may return a maliciously formatted response that executes arbitrary commands with the privileges of the user running XChat.

All users of XChat are advised to update to these errata packages containing XChat version 1.8.9 which is not vulnerable to this issue.

[update 14 Aug 2002] Previous packages pushed were not signed, this update replaces the packages with signed versions

Solution

Update the affected xchat package.

See Also

https://access.redhat.com/security/cve/cve-2002-0382

https://access.redhat.com/errata/RHSA-2002:124

Plugin Details

Severity: High

ID: 12303

File Name: redhat-RHSA-2002-124.nasl

Version: 1.24

Type: local

Agent: unix

Published: 7/6/2004

Updated: 1/14/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:xchat, cpe:/o:redhat:enterprise_linux:2.1

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 8/14/2002

Vulnerability Publication Date: 6/25/2002

Reference Information

CVE: CVE-2002-0382

BID: 4376

RHSA: 2002:124