Mandriva has issued an advisory today (October 2): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:156 Mageia 1 and Mageia 2 are also affected.
CC: (none) => oeWhiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => remco
URL: (none) => http://lwn.net/Vulnerabilities/518325/
Oden has fixed this in Cauldron by upgrading to 2.5.3.
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Oden, is this change you made in Cauldron correct? - --with-berkeleydb=/usr/include/db4 \ + --with-berkeleydb=%{_prefix} \
Updated packages uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated inn packages fix security vulnerability: The STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411 (CVE-2012-3523). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3523 https://www.isc.org/software/inn/2.5.3article http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:156 ======================== Updated packages in core/updates_testing: ======================== inn-2.5.3-1.mga1 inn-devel-2.5.3-1.mga1 inews-2.5.3-1.mga1 inn-2.5.3-1.mga2 inn-devel-2.5.3-1.mga2 inews-2.5.3-1.mga2 from SRPMS: inn-2.5.3-1.mga1.src.rpm inn-2.5.3-1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Testing Mageia 1 shortly.
CC: (none) => davidwhodgins
After installing, "inncheck -f -perm | /bin/sh" has to be run, to fix the permissions, such as making /usr/bin/innbind suid, and correcting the ownership of various other files. Either the permissions and ownership should be fixed, or the script run as a postinstall scriptlet. On 64 bit systems, /etc/init.d/innd has the line [ -d /usr/lib/news ] || exit 0 Either the check should be removed, or changed to [ -d /usr/lib64/news ] || exit 0 The scripts in /usr/bin/, such as news.daily have . /usr/lib64/inn/news/innshellvars The innshellvars script is in /usr/bin. Either all 14 of the scripts should be fixed, or the directory /usr/lib64/inn/news created, with a symlink in it to /usr/bin/innshellvars. These bugs are not regressions, and are not blocking the update. I'm just making a note of them, for now, as I run into them.
In /usr/bin, so inncheck doesn't report errors, ln -s /etc/rc.news The inn package should suggest or require inews, to avoid error messages when running inncheck.
Testing complete on Mageia 1 i586 and x86-64. I set up inn on both, with each other as peers, added a newsgroup to both, setup a usenet client for each, posted an article on each, and read the article from both servers. I'll append a text file with the procedure used.
Whiteboard: MGA1TOO => MGA1TOO MGA1-64-OK MGA1-32-OK has_procedure
Created attachment 2964 [details] Procedure used for testing Note that I manually fixed the problems identified in Comment 5.
Be careful using attachment 2964 [details]. Somehow some of the double quotes are showing up as ââ¬Å when viewed in a browser, instead of as ".
Created attachment 2965 [details] Procdure used for testing I've edited the file using mc, replacing all of the double quotes. Hopefully they will now show up correctly in a web browser.
Attachment 2964 is obsolete: 0 => 1
Testing Mageia 2 shortly.
Bug 7876 opened for the problems listed in comment 5.
Created attachment 2978 [details] Procedure used for testing Corrected the access/newsgroups setting.
Attachment 2965 is obsolete: 0 => 1
Created attachment 2979 [details] Procedure used for testing Fixed more of the quotes.
Attachment 2978 is obsolete: 0 => 1
Testing complete on Mageia 2 i586 and x86-64. Testing using the same procedure as in comment 14, but using i2v and x2v (Mageia 2 i586 vb guest and Mageia 2 x86-64 vb guests). Could someone from the sysadmin team push the srpm inn-2.5.3-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm inn-2.5.3-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated inn packages fix security vulnerability: The STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411 (CVE-2012-3523). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3523 https://www.isc.org/software/inn/2.5.3article http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:156 https://bugs.mageia.org/show_bug.cgi?id=7674
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA1-64-OK MGA1-32-OK has_procedure => MGA1TOO MGA1-64-OK MGA1-32-OK has_procedure MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0305
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED