Package: leafnode
Version: 1.11.1.rel-1
Severity: normal
Tags: security
leafnode's upstream author Matthias Andree released a new upstream version
that fixes a minor DoS issue: (Copying the report verbose as I couldn't
find it on the web site)
Cheers,
Moritz
leafnode-SA-2005:01.fetchnews-crashes-on-timeout
Topic: potential denial of service in leafnode
Announcement: leafnode-SA-2005:01
Writer: Matthias Andree
Version: 1.00
Announced: 2005-05-04
Category: main
Type: potential denial of service
Impact: fetchnews crashes, some servers not queried
Danger: low
- malicious upstream server can easily be unlisted
CVE Name: requested from FreeBSD CNA, for updates, please
see <http://leafnode.sourceforge.net/security.shtml>
Affects: leafnode versions 1.9.48 to 1.11.1 inclusively
Not affected: leafnode 1.11.2
Default install: affected.
Corrected: 2005-05-04 10:09 UTC (CVS) - committed corrected version
2005-05-04 leafnode 1.11.2 released
0. Release history
2005-05-04 1.00 initial announcement
1. Background
leafnode is a store-and-forward proxy for Usenet news, is uses the
network news transfer protocol (NNTP). It consists of several
collaborating programs, the server part is usually started by inetd,
xinetd or tcpserver, the client part is usually started by cron or
manually.
This security announcement pertains to leafnode-1, the stable branch.
The leafnode-2 development branch has not yet seen a stable release, so
it is not subject to security announcements.
2. Problem description
Two vulnerabilities were found in the fetchnews program (the NNTP
client). These can cause the fetchnews program to crash when the
upstream server closes the connection while leafnode is receiving (1) an
article header, or (2) an article body.
3. Impact
A malicious upstream server that purposefully drops the connection after
fetchnews has requested an article header or body can prevent fetchnews
from ever querying other servers that are listed after the malicious
server in the configuration file.
4. Workaround
Comment out all configuration pertaining to the malicious server.
Note that this is not a full solution as transient network errors can
also cause delays in querying other network servers, and it requires
manual intervention to find out which server is malicious.
5. Solution
Upgrade your leafnode package to version 1.11.2.
leafnode 1.11.2 is available from SourceForge:
<http://sourceforge.net/project/showfiles.php?group_id=57767>
Leafnode 1.X versions are deemed stable, and it is usually best to go
for the latest released 1.X version to have all the other bug fixes as
well.
A. References
leafnode home page: <http://leafnode.sourceforge.net/>
END OF leafnode-SA-2005:01.fetchnews-crashes-on-timeout
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages leafnode depends on:
ii debconf 1.4.48 Debian configuration management sy
ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an
ii libpcre3 5.0-1 Perl 5 Compatible Regular Expressi
ii logrotate 3.7-2 Log rotation utility
ii netbase 4.21 Basic TCP/IP networking system
ii tcpd 7.6.dbs-8 Wietse Venema's TCP wrapper utilit
-- debconf information excluded
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
