"Fossies" - the Fresh Open Source Software Archive 
Member "leafnode-1.12.0/leafnode-SA-2004-01.txt" (28 Dec 2021, 3008 Bytes) of package /linux/misc/leafnode-1.12.0.tar.xz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
See also the latest
Fossies "Diffs" side-by-side code changes report for "leafnode-SA-2004-01.txt":
1.11.12_vs_1.12.0.
1 leafnode-SA-2004:01.fetchnews-hang-no-body
2
3 Topic: potential denial of service in leafnode
4
5 Announcement: leafnode-SA-2004:01
6 Writer: Matthias Andree
7 Version: 1.01
8 Announced: 2004-01-09
9 Category: main
10 Type: potential denial of service
11 Impact: fetchnews hangs, no new fetchnews/texpire processes
12 can be started
13 Credits: Toni Viemerö
14 Danger: medium:
15 - only one process will clog memory since leafnode-1.9.20
16 bug can hang for an extended amount of time
17 - no privilege escalation through this bug
18 CVE Name: CVE-2004-2068
19 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2068
20
21 Affects: leafnode versions up to and including 1.9.47 (2004)
22
23 Not affected: leafnode 1.9.48
24
25 Default install: affected.
26
27 Corrected: 2004-01-09 00:53 UTC (CVS) - committed corrected version
28 2004-01-09 01:26 leafnode 1.9.48 released
29
30 0. Release history
31
32 2004-01-09 1.00 initial announcement
33 2005-05-07 1.01 add CVE name and URL
34
35 1. Background
36
37 leafnode is a store-and-forward proxy for Usenet news, is uses the
38 network news transfer protocol (NNTP). It consists of several
39 collaborating programs, the server part is usually started by inetd,
40 xinetd or tcpserver, the client part is usually started by cron or
41 manually.
42
43 This security announcement pertains to leafnode-1, the stable branch.
44
45 The leafnode-2 development branch has not yet seen a stable release, so
46 it is not subject to security announcements.
47
48 2. Problem description
49
50 A vulnerability was found in the fetchnews program (the NNTP client) that
51 may under some circumstances cause a wait for input that never arrives,
52 fetchnews "hangs". This hang does not cost CPU.
53
54 3. Impact
55
56 As only one fetchnews program can run at a time, subsequently started
57 fetchnews and texpire programs will terminate immediately. This means
58 that the news base will no longer be updated, older articles will no
59 longer expire, until the hanging fetchnews process gets unstuck, usually
60 through a manual "kill" command or a reboot.
61
62 4. Workaround
63
64 Set minlines=1 in your configuration file, usually /etc/leafnode/config.
65 This workaround will only work with leafnode 1.9.47, not with older
66 versions.
67
68 NOTE: Killing fetchnews before completion leaves stale data on disk and
69 is therefore not deemed reliable, although it relieves the immediate
70 "cannot start texpire or fetchnews" condition.
71
72 5. Solution
73
74 Upgrade your leafnode package to version 1.9.48.
75
76 Note that leafnode 1.9.X versions are deemed stable, and it is usually
77 best to go for the latest released 1.9.X version to have all the other
78 bug fixes as well. No broken-out version of this patch will be
79 provided, distributors are urged to update to the latest leafnode
80 version. The diff between leafnode 1.9.47 and 1.9.48 may serve as a
81 replacement, provided it applies to the version in question. It may very
82 well not.
83
84 leafnode 1.9.48 is available from sourceforge:
85
86 http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=208614
87
88 A. References
89
90 leafnode home page: http://www.leafnode.org/