Re: Security problem in C news and INN

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Evil Pete: "Re: Security problem in C news and INN"
• Previous message: Casper Dik: "Re: Security problem in C news and INN"
• In reply to: Casper Dik: "Re: Security problem in C news and INN"
• Next in thread: Scott Chasin: "Re: Security problem in C news and INN"

This is bugtraq, not some CERT list. Would someone please explain how
this hole works? I run C News, not INN, and I can't feel secure unless
I can check the bug on my own.

Perry

Casper Dik says:
>
> >Maybe I'm the last person on the planet to realize this.....  is it common
> >knowledge that there's a *major* security hole in both C news performance
> >release, and old versions of INN?
> >
> >If anyone doesn't know what I'm talking about, then you may want to disable
> >newgroup and checkgroups processing from C news (performance release), and
> >disable processing of ALL control messages except cancel from INN.  Disable
> >them <completely>, best with an "exit 0" at the first line of all
> >appropriate scripts.  Do not attempt to interpret or process these articles
> >in any way.  Don't do _anything_ with these articles except ignore them.
> >This is overkill, but anything more specific would be too much of a
> >giveaway.
>
> If you use INN, you can get inn1.4.sec from ftp.uu.net.
> It fixes this problem.
> I'm not sure that disabling all control messages except cancel
> actually works.
>
> Casper

• Next message: Evil Pete: "Re: Security problem in C news and INN"
• Previous message: Casper Dik: "Re: Security problem in C news and INN"
• In reply to: Casper Dik: "Re: Security problem in C news and INN"
• Next in thread: Scott Chasin: "Re: Security problem in C news and INN"