Bug#685581: inn: CVE-2012-3523 prone to STARTTLS plaintext command injection
Package: inn2 Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.7) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track [1] the progress of this request. For details of this process and the rationale, please see the original announcement [2] and my blog post [3]. 0: debian-rele...@lists.debian.org 1: http://prsc.debian.net/tracker/685581/ 2: 201101232332.11736.th...@debian.org 3: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685581: inn: CVE-2012-3523 prone to STARTTLS plaintext command injection
Hi Marco, Or does it mean that a security release should be made for previous versions still maintained by the Debian project? It should be, yes. (At least, if you think that it should be fixed.) I do not believe taking time to fix it on older versions of INN is worthwhile. Not much harm can be done in NNTP when this security hole is exploited. Usually, authentication and/or host checks are required for sensitive newsgroups. (Also note that once a user has been authenticated, STARTTLS is no longer available.) If other people think this vulnerability can be harmful, please speak up! -- Julien ÉLIE « – Nous parlerons quand l'interprète dormira. [Bong !] – Il dort. On peut parler. » (Astérix) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685581: inn: CVE-2012-3523 prone to STARTTLS plaintext command injection
On Aug 29, Julien ÉLIE jul...@trigofacile.com wrote: Or does it mean that a security release should be made for previous versions still maintained by the Debian project? It should be, yes. (At least, if you think that it should be fixed.) And... as for inn 1.7.2, I think it does not support STARTTLS, right? (I have not checked.) Yes. -- ciao, Marco signature.asc Description: Digital signature
Bug#685581: inn: CVE-2012-3523 prone to STARTTLS plaintext command injection
Hi all, Package: inn Version: 1.7.2q-41 Severity: grave the STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411. reassign 685581 inn2 I see that this bug report has been reassigned to the inn2 package. Yet, it is not present in the latest 2.5.3-1 inn2 package. Shouldn't the bug be closed for inn2 then? Or does it mean that a security release should be made for previous versions still maintained by the Debian project? And... as for inn 1.7.2, I think it does not support STARTTLS, right? (I have not checked.) The feature was added in INN 2.3.0. Relevant upstream patch (the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part) The complete patch deals with more files than nnrpd/misc.c; the relevant patch is: http://inn.eyrie.org/trac/changeset/9259 I hope this commit #9259 will be of help! -- Julien ÉLIE « – Nous parlerons quand l'interprète dormira. [Bong !] – Il dort. On peut parler. » (Astérix) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685581: inn: CVE-2012-3523 prone to STARTTLS plaintext command injection
Package: inn Version: 1.7.2q-41 Severity: grave From oss-security mailing list: the STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411. References: [1] https://www.isc.org/software/inn/2.5.3article [2] https://bugs.gentoo.org/show_bug.cgi?id=432002 [3] https://bugzilla.redhat.com/show_bug.cgi?id=850478 Relevant upstream patch (the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part): [4] ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz http://www.openwall.com/lists/oss-security/2012/08/21/8 http://www.openwall.com/lists/oss-security/2012/08/21/12 - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
