Bugtraq mailing list archives

Re: Security problem in C news and INN

From: pmetzger () lehman com (Perry E. Metzger)
Date: Thu, 24 Feb 1994 11:15:38 -0500


This is bugtraq, not some CERT list. Would someone please explain how
this hole works? I run C News, not INN, and I can't feel secure unless
I can check the bug on my own.

Perry

Casper Dik says:

Maybe I'm the last person on the planet to realize this.....  is it common
knowledge that there's a *major* security hole in both C news performance
release, and old versions of INN?

If anyone doesn't know what I'm talking about, then you may want to disable
newgroup and checkgroups processing from C news (performance release), and
disable processing of ALL control messages except cancel from INN.  Disable
them <completely>, best with an "exit 0" at the first line of all
appropriate scripts.  Do not attempt to interpret or process these articles
in any way.  Don't do _anything_ with these articles except ignore them.
This is overkill, but anything more specific would be too much of a
giveaway.


If you use INN, you can get inn1.4.sec from ftp.uu.net.
It fixes this problem.
I'm not sure that disabling all control messages except cancel
actually works.

Casper

Current thread:

syslog/udp Tim Newsham (Feb 20)
- <Possible follow-ups>
- Re: syslog/udp Dave Hayes (Feb 22)
  - Re: syslog/udp John Hawkinson (Feb 23)
    - Security problem in C news and INN Featherlace (Feb 23)
    - Re: Security problem in C news and INN Casper Dik (Feb 24)
    - Re: Security problem in C news and INN Perry E. Metzger (Feb 24)
    - Re: syslog/udp scott () santafe edu (Feb 23)
    - Re: syslog/udp Tim Newsham (Feb 23)
    - Re: syslog/udp Julian Assange (Feb 23)
    - daemon() Jim Wright (Feb 24)
    - Thanks! Dave Hayes (Feb 23)
- Re: syslog/udp Jim Duncan (Feb 24)