CVE-2012-3523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3523): The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1039881 Title: <inn-2.5.3 - plaintext command injection during the negotiation of a TLS layer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/inn2/+bug/1039881/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
