CVE-2015-3427 — quassel - security update

Description

Quassel before 0.12.2 does not properly re-initialize the database session when the PostgreSQL database is restarted, which allows remote attackers to conduct SQL injection attacks via a \ (backslash) in a message. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4422.

How to fix CVE-2015-3427

To remediate CVE-2015-3427, upgrade the affected package to a fixed version below.

Debian/quassel—upgrade to 1:0.10.0-2.4 or later
Debian/quassel—upgrade to 1:0.10.0-2.3+deb8u1 or later

Is CVE-2015-3427 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1:0.10.0-2.4
from 0, < 1:0.10.0-2.3+deb8u1

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-3427