Re: rh 6.2 - gid compromises, etc

[rra () STANFORD EDU (Russ Allbery)]

Michal Zalewski <lcamtuf () TPI PL> writes:

>   Under some conditions, inews can be used in the same way, but bug
>   is hidden a little bit deeper. I'll leave it as an exercise to
>   readers (and maintainers - please audit your code, not only fix
>   published bugs),

inews is no longer installed setgid in the current versions of INN, and I
recommend that other packagers of INN make that change as well.  I have
gone through the code a few times to try to clean it up, but it is in dire
need of a complete rewrite (which would be less work than a full audit,
frankly) and I would not recommend giving it enhanced privileges until
that's been done.

--
Russ Allbery (rra () stanford edu)             <http://www.eyrie.org/~eagle/>