Hi all,
Package: inn
Version: 1.7.2q-41
Severity: grave
the STARTTLS implementation in INN's NNTP server for readers, nnrpd,
before 2.5.3 does not properly restrict I/O buffering, which allows
man-in-the-middle attackers to insert commands into encrypted
sessions by sending a cleartext command that is processed after TLS
is in place, related to a "plaintext command injection" attack, a
similar issue to CVE-2011-0411.
reassign 685581 inn2
I see that this bug report has been reassigned to the inn2 package.
Yet, it is not present in the latest 2.5.3-1 inn2 package. Shouldn't
the bug be closed for inn2 then?
Or does it mean that a security release should be made for previous
versions still maintained by the Debian project?
And... as for inn 1.7.2, I think it does not support STARTTLS, right? (I
have not checked.)
The feature was added in INN 2.3.0.
Relevant upstream patch
(the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part)
The complete patch deals with more files than nnrpd/misc.c; the relevant
patch is:
http://inn.eyrie.org/trac/changeset/9259
I hope this commit #9259 will be of help!
--
Julien ÉLIE
« – Nous parlerons quand l'interprète dormira. [Bong !]
– Il dort. On peut parler. » (Astérix)
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
