[UNIX] Leafnoe DoS (Missing Input)

From: SecuriTeam (support_at_securiteam.com)
Date: 01/11/04

  • Next message: SecuriTeam: "[NT] FreeProxy/FreeWeb Multiple Vulnerabilities" 
    To: list@securiteam.com
Date: 11 Jan 2004 11:48:38 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Leafnoe DoS (Missing Input)
    ------------------------------------------------------------------------

    SUMMARY

     <http://sourceforge.net/projects/leafnode/> leafnode is a
    store-and-forward proxy for Usenet news, is uses the network news transfer
    protocol (NNTP). It consists of several collaborating programs, the server
    part is usually started by inetd, xinetd, or tcpserver, the client part is
    usually started by cron or manually.

    A vulnerability was found in the fetchnews program (the NNTP client) that
    may under some circumstances cause a wait for input that never arrives,
    fetchnews "hangs". This hang does not cost CPU.

    DETAILS

    Vulnerable systems:
     * leafnode version 1.9.47

    Immune systems:
     * leafnode version 1.9.48

    Impact:
    As only one fetchnews program can run at a time, subsequently started
    fetchnews and texpire programs will terminate immediately. This means that
    the news base will no longer be updated, older articles will no longer
    expire, until the hanging fetchnews process gets unstuck, usually through
    a manual "kill" command or a reboot.

    Workaround:
    Set minlines=1 in your configuration file, usually /etc/leafnode/config.
    This workaround will only work with leafnode 1.9.47, not with older
    versions.

    NOTE: Killing fetchnews before completion leaves stale data on disk and is
    therefore not deemed reliable, although it relieves the immediate "cannot
    start texpire or fetchnews" condition.

    Solution:
    Upgrade your leafnode package to version 1.9.48.

    Note that leafnode 1.9.X versions are deemed stable, and it is usually
    best to go for the latest released 1.9.X version to have all the other bug
    fixes as well. No broken-out version of this patch will be provided,
    distributors are urged to update to the latest leafnode version. The diff
    between leafnode 1.9.47 and 1.9.48 may serve as a replacement, provided it
    applies to the version in question. It may very well not.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:matthias.andree@gmx.de>
    Matthias Andree and Toni Viemerö.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] FreeProxy/FreeWeb Multiple Vulnerabilities"

    Relevant Pages