| Summary: | inn new security issue CVE-2012-3523 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, oe, remco, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/518325/ | ||
| Whiteboard: | MGA1TOO MGA1-64-OK MGA1-32-OK has_procedure MGA2-64-OK MGA2-32-OK | ||
| Source RPM: | inn-2.5.2-5.mga2.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
Procedure used for testing
Procdure used for testing Procedure used for testing Procedure used for testing |
||
|
Description
David Walser
2012-10-02 12:48:19 CEST
David Walser
2012-10-02 12:48:45 CEST
CC:
(none) =>
oe
Remco Rijnders
2012-10-02 13:27:39 CEST
CC:
(none) =>
remco
David Walser
2012-10-02 21:12:56 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/518325/ Oden has fixed this in Cauldron by upgrading to 2.5.3. Version:
Cauldron =>
2 Oden, is this change you made in Cauldron correct?
- --with-berkeleydb=/usr/include/db4 \
+ --with-berkeleydb=%{_prefix} \
Updated packages uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated inn packages fix security vulnerability: The STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411 (CVE-2012-3523). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3523 https://www.isc.org/software/inn/2.5.3article http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:156 ======================== Updated packages in core/updates_testing: ======================== inn-2.5.3-1.mga1 inn-devel-2.5.3-1.mga1 inews-2.5.3-1.mga1 inn-2.5.3-1.mga2 inn-devel-2.5.3-1.mga2 inews-2.5.3-1.mga2 from SRPMS: inn-2.5.3-1.mga1.src.rpm inn-2.5.3-1.mga2.src.rpm Assignee:
bugsquad =>
qa-bugs Testing Mageia 1 shortly. CC:
(none) =>
davidwhodgins After installing, "inncheck -f -perm | /bin/sh" has to be run, to fix the permissions, such as making /usr/bin/innbind suid, and correcting the ownership of various other files. Either the permissions and ownership should be fixed, or the script run as a postinstall scriptlet. On 64 bit systems, /etc/init.d/innd has the line [ -d /usr/lib/news ] || exit 0 Either the check should be removed, or changed to [ -d /usr/lib64/news ] || exit 0 The scripts in /usr/bin/, such as news.daily have . /usr/lib64/inn/news/innshellvars The innshellvars script is in /usr/bin. Either all 14 of the scripts should be fixed, or the directory /usr/lib64/inn/news created, with a symlink in it to /usr/bin/innshellvars. These bugs are not regressions, and are not blocking the update. I'm just making a note of them, for now, as I run into them. In /usr/bin, so inncheck doesn't report errors, ln -s /etc/rc.news The inn package should suggest or require inews, to avoid error messages when running inncheck. Testing complete on Mageia 1 i586 and x86-64. I set up inn on both, with each other as peers, added a newsgroup to both, setup a usenet client for each, posted an article on each, and read the article from both servers. I'll append a text file with the procedure used. Whiteboard:
MGA1TOO =>
MGA1TOO MGA1-64-OK MGA1-32-OK has_procedure Created attachment 2964 [details] Procedure used for testing Note that I manually fixed the problems identified in Comment 5. Be careful using attachment 2964 [details]. Somehow some of the double quotes
are showing up as ââ¬Å when viewed in a browser, instead of as ".
Created attachment 2965 [details]
Procdure used for testing
I've edited the file using mc, replacing all of the double quotes.
Hopefully they will now show up correctly in a web browser.
Attachment 2964 is obsolete:
0 =>
1 Testing Mageia 2 shortly. Created attachment 2978 [details]
Procedure used for testing
Corrected the access/newsgroups setting.
Attachment 2965 is obsolete:
0 =>
1 Created attachment 2979 [details]
Procedure used for testing
Fixed more of the quotes.
Attachment 2978 is obsolete:
0 =>
1 Testing complete on Mageia 2 i586 and x86-64. Testing using the same procedure as in comment 14, but using i2v and x2v (Mageia 2 i586 vb guest and Mageia 2 x86-64 vb guests). Could someone from the sysadmin team push the srpm inn-2.5.3-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm inn-2.5.3-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated inn packages fix security vulnerability: The STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411 (CVE-2012-3523). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3523 https://www.isc.org/software/inn/2.5.3article http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:156 https://bugs.mageia.org/show_bug.cgi?id=7674 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0305 Status:
NEW =>
RESOLVED |