"Fossies" - the Fresh Open Source Software Archive

Member "leafnode-1.12.0/leafnode-SA-2004-01.txt" (28 Dec 2021, 3008 Bytes) of package /linux/misc/leafnode-1.12.0.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "leafnode-SA-2004-01.txt": 1.11.12_vs_1.12.0.

    1 leafnode-SA-2004:01.fetchnews-hang-no-body
    2 
    3 Topic:		potential denial of service in leafnode
    4 
    5 Announcement:	leafnode-SA-2004:01
    6 Writer:		Matthias Andree
    7 Version:	1.01
    8 Announced:	2004-01-09
    9 Category:	main
   10 Type:		potential denial of service
   11 Impact:		fetchnews hangs, no new fetchnews/texpire processes
   12 		can be started
   13 Credits:	Toni Viemerö
   14 Danger:		medium:
   15 		- only one process will clog memory since leafnode-1.9.20
   16 		  bug can hang for an extended amount of time
   17 		- no privilege escalation through this bug
   18 CVE Name:	CVE-2004-2068
   19 URL:		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2068
   20 
   21 Affects:	leafnode versions up to and including 1.9.47 (2004)
   22 
   23 Not affected:	leafnode 1.9.48
   24 
   25 Default install: affected.
   26 
   27 Corrected:	2004-01-09 00:53 UTC (CVS) - committed corrected version
   28 		2004-01-09 01:26             leafnode 1.9.48 released
   29 
   30 0. Release history
   31 
   32 2004-01-09	1.00 initial announcement
   33 2005-05-07	1.01 add CVE name and URL
   34 
   35 1. Background
   36 
   37 leafnode is a store-and-forward proxy for Usenet news, is uses the
   38 network news transfer protocol (NNTP). It consists of several
   39 collaborating programs, the server part is usually started by inetd,
   40 xinetd or tcpserver, the client part is usually started by cron or
   41 manually.
   42 
   43 This security announcement pertains to leafnode-1, the stable branch.
   44 
   45 The leafnode-2 development branch has not yet seen a stable release, so
   46 it is not subject to security announcements.
   47 
   48 2. Problem description
   49 
   50 A vulnerability was found in the fetchnews program (the NNTP client) that
   51 may under some circumstances cause a wait for input that never arrives,
   52 fetchnews "hangs". This hang does not cost CPU.
   53 
   54 3. Impact
   55 
   56 As only one fetchnews program can run at a time, subsequently started
   57 fetchnews and texpire programs will terminate immediately. This means
   58 that the news base will no longer be updated, older articles will no
   59 longer expire, until the hanging fetchnews process gets unstuck, usually
   60 through a manual "kill" command or a reboot.
   61 
   62 4. Workaround
   63 
   64 Set minlines=1 in your configuration file, usually /etc/leafnode/config.
   65 This workaround will only work with leafnode 1.9.47, not with older
   66 versions.
   67 
   68 NOTE: Killing fetchnews before completion leaves stale data on disk and
   69 is therefore not deemed reliable, although it relieves the immediate
   70 "cannot start texpire or fetchnews" condition.
   71 
   72 5. Solution
   73 
   74 Upgrade your leafnode package to version 1.9.48.
   75 
   76 Note that leafnode 1.9.X versions are deemed stable, and it is usually
   77 best to go for the latest released 1.9.X version to have all the other
   78 bug fixes as well. No broken-out version of this patch will be
   79 provided, distributors are urged to update to the latest leafnode
   80 version. The diff between leafnode 1.9.47 and 1.9.48 may serve as a
   81 replacement, provided it applies to the version in question. It may very
   82 well not.
   83 
   84 leafnode 1.9.48 is available from sourceforge:
   85 
   86 http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=208614
   87 
   88 A. References
   89 
   90 leafnode home page: http://www.leafnode.org/