lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 9 Jan 2004 02:56:25 +0100
From: Matthias Andree <matthias.andree@....de>
To: leafnode-announce@...ts.sourceforge.net,
	bugtraq@...urityfocus.com, vulnwatch@...nwatch.org
Subject: leafnode -1.9.47 security announcement SA-2004-01


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

leafnode-SA-2004:01.fetchnews-hang-no-body

Topic:		potential denial of service in leafnode

Announcement:	leafnode-SA-2004:01
Writer:		Matthias Andree
Version:	1.00
Announced:	2004-01-09
Category:	main
Type:		potential denial of service
Impact:		fetchnews hangs, no new fetchnews/texpire processes
		can be started
Credits:	Toni Viemerö
Danger:		medium:
		- only one process will clog memory since leafnode-1.9.20
		  bug can hang for an extended amount of time
		- no privilege escalation through this bug

Affects:	leafnode versions up to and including 1.9.47 (2004)

Not affected:	leafnode 1.9.48

Default install: affected.

Corrected:	2004-01-09 00:53 UTC (CVS) - committed corrected version
		2004-01-09 01:26             leafnode 1.9.48 released

0. Release history

2004-01-09	1.00 initial announcement

1. Background

leafnode is a store-and-forward proxy for Usenet news, is uses the
network news transfer protocol (NNTP). It consists of several
collaborating programs, the server part is usually started by inetd,
xinetd or tcpserver, the client part is usually started by cron or
manually.

This security announcement pertains to leafnode-1, the stable branch.

The leafnode-2 development branch has not yet seen a stable release, so
it is not subject to security announcements.

2. Problem description

A vulnerability was found in the fetchnews program (the NNTP client) that
may under some circumstances cause a wait for input that never arrives,
fetchnews "hangs". This hang does not cost CPU.

3. Impact

As only one fetchnews program can run at a time, subsequently started
fetchnews and texpire programs will terminate immediately. This means
that the news base will no longer be updated, older articles will no
longer expire, until the hanging fetchnews process gets unstuck, usually
through a manual "kill" command or a reboot.

4. Workaround

Set minlines=1 in your configuration file, usually /etc/leafnode/config.
This workaround will only work with leafnode 1.9.47, not with older
versions.

NOTE: Killing fetchnews before completion leaves stale data on disk and
is therefore not deemed reliable, although it relieves the immediate
"cannot start texpire or fetchnews" condition.

5. Solution

Upgrade your leafnode package to version 1.9.48.

Note that leafnode 1.9.X versions are deemed stable, and it is usually
best to go for the latest released 1.9.X version to have all the other
bug fixes as well. No broken-out version of this patch will be
provided, distributors are urged to update to the latest leafnode
version. The diff between leafnode 1.9.47 and 1.9.48 may serve as a
replacement, provided it applies to the version in question. It may very
well not.

leafnode 1.9.48 is available from sourceforge:

http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=208614

A. References

leafnode home page: http://leafnode.sourceforge.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQE//goEvmGDOQUufZURAuXxAJ4/HXCpdaXGSEx3GxM5VyEY2KHQBACg9iVG
MUwYI6aZWZN4UtxD6LL+0WU=
=lrOi
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Leafnode-announce mailing list
Leafnode-announce@...ts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leafnode-announce
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id.210


Powered by blists - more mailing lists