Re: Security problem in C news and INN

casperfwi.uva.nl

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Perry E. Metzger: "Re: Security problem in C news and INN"
• Previous message: Jim Duncan: "Re: syslog/udp"
• In reply to: Featherlace: "Security problem in C news and INN"
• Next in thread: Perry E. Metzger: "Re: Security problem in C news and INN"

>Maybe I'm the last person on the planet to realize this.....  is it common
>knowledge that there's a *major* security hole in both C news performance
>release, and old versions of INN?
>
>If anyone doesn't know what I'm talking about, then you may want to disable
>newgroup and checkgroups processing from C news (performance release), and
>disable processing of ALL control messages except cancel from INN.  Disable
>them <completely>, best with an "exit 0" at the first line of all
>appropriate scripts.  Do not attempt to interpret or process these articles
>in any way.  Don't do _anything_ with these articles except ignore them.
>This is overkill, but anything more specific would be too much of a
>giveaway.

If you use INN, you can get inn1.4.sec from ftp.uu.net.
It fixes this problem.
I'm not sure that disabling all control messages except cancel
actually works.

Casper

• Next message: Perry E. Metzger: "Re: Security problem in C news and INN"
• Previous message: Jim Duncan: "Re: syslog/udp"
• In reply to: Featherlace: "Security problem in C news and INN"
• Next in thread: Perry E. Metzger: "Re: Security problem in C news and INN"