William Cummings

**Name of the Vulnerable Software and Affected Versions** libsilc versions prior to 1.1.9 silc (affected versions not specified) libsilc-1.1-2 (affected versions not specified) libsilc-1.1-2-dev (affected versions not specified) libsilc-1.1-2-dbg (affected versions not specified) **Description** The issue concerns multiple vulnerabilities in the SILC Toolkit, which can be exploited remotely to compromise the confidentiality, integrity, and availability of protected information. Specifically, the `silc http server parse` function in the internal HTTP server is vulnerable to a crafted Content-Length header, potentially allowing remote attackers to execute arbitrary code due to the incorrect use of a `%lu` format string. **Recommendations** For versions prior to 1.1.9, update to version 1.1.9 or later to resolve the issue. For silc, libsilc-1.1-2, libsilc-1.1-2-dev, and libsilc-1.1-2-dbg, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SILC Toolkit versions prior to 1.1.10 SILC Client versions prior to 1.1.8 **Description** The issue concerns multiple vulnerabilities in the SILC Toolkit and SILC Client, which can be exploited remotely to compromise the confidentiality, integrity, and availability of protected information. The vulnerabilities are related to format string specifiers in a nickname field and are associated with the `silc client add client`, `silc client update client`, and `silc client nickname format` functions. **Recommendations** For SILC Toolkit versions prior to 1.1.10, update to version 1.1.10 or later to resolve the issue. For SILC Client versions prior to 1.1.8, update to version 1.1.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `silc client add client`, `silc client update client`, and `silc client nickname format` functions until a patch is available.