Bugtraq mailing list archives
Re: SNI-16: INN News Server Security Advisory (fwd)
From: davids () silence secnet com (David Sacerdote)
Date: Mon, 28 Jul 1997 17:10:56 -0600
Be aware the the SNI advisory is wrong on two counts here: 1. There is no "INN 1.6", at least not a released version. There is an early beta test version of 1.6 available on the ISC ftp site, but it is rather unstable and not at all a drop-in replacement for 1.5.1. There is an active discussion on the news.software.nntp newsgroup about this -- the current consensus is that 1.6b1 is not suitable for use in anything but a testing environment. 2. As of last friday, 25 Jul 97, the ISC has announced that they will be making a set of patches for 1.5.1 available.
The information in the advisory is based on what the ISC told us prior to its release. We provided the ISC with 160k of diffs against 1.5.0, well in advance of the release of 1.5.1. They chose not to include them in the 1.5.1 release, and incorporated them into the latest beta. When the ISC informed us that they would have a beta which included our fixes availible, we released the advisory at approximately the time the fixes were supposed to be available. At the time, James Brister, who maintains INN for the ISC, informed us that there would be no patches for versions earlier than 1.6. Apparently, it has since transpired that INN 1.6beta1 is not as stable as the ISC believed. Therefore, they have decided to release a set of patches against 1.5.1. The reason we posted is this. The overflows present in INN were trivial to find. In fact, had they not been actively exploited in the wild before the advisory, we would be *shocked*. Would you rather that nobody except those who are interested in cracking your systems know about these problems, or would you rather be properly appraised of the dangers of certain software? David Sacerdote
Current thread:
- Re: SNI-16: INN News Server Security Advisory (fwd) David Sacerdote (Jul 28)