[VulnWatch] leafnode security announcement leafnode-SA-2005-01

From: Matthias Andree (matthias.andree_at_gmx.de)
Date: 05/04/05

  • Next message: Pieter de Boer: "[VulnWatch] Local root vuln in VPN daemon on MacOS X"
    Date: Wed, 4 May 2005 17:23:11 +0200
    To: leafnode-announce@lists.sourceforge.net
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    leafnode-SA-2005:01.fetchnews-crashes-on-timeout

    Topic: potential denial of service in leafnode

    Announcement: leafnode-SA-2005:01
    Writer: Matthias Andree
    Version: 1.00
    Announced: 2005-05-04
    Category: main
    Type: potential denial of service
    Impact: fetchnews crashes, some servers not queried
    Danger: low
                    - malicious upstream server can easily be unlisted
    CVE Name: requested from FreeBSD CNA, for updates, please
                    see <http://leafnode.sourceforge.net/security.shtml>

    Affects: leafnode versions 1.9.48 to 1.11.1 inclusively

    Not affected: leafnode 1.11.2

    Default install: affected.

    Corrected: 2005-05-04 10:09 UTC (CVS) - committed corrected version
                    2005-05-04 leafnode 1.11.2 released

    0. Release history

    2005-05-04 1.00 initial announcement

    1. Background

    leafnode is a store-and-forward proxy for Usenet news, is uses the
    network news transfer protocol (NNTP). It consists of several
    collaborating programs, the server part is usually started by inetd,
    xinetd or tcpserver, the client part is usually started by cron or
    manually.

    This security announcement pertains to leafnode-1, the stable branch.

    The leafnode-2 development branch has not yet seen a stable release, so
    it is not subject to security announcements.

    2. Problem description

    Two vulnerabilities were found in the fetchnews program (the NNTP
    client). These can cause the fetchnews program to crash when the
    upstream server closes the connection while leafnode is receiving (1) an
    article header, or (2) an article body.

    3. Impact

    A malicious upstream server that purposefully drops the connection after
    fetchnews has requested an article header or body can prevent fetchnews
    from ever querying other servers that are listed after the malicious
    server in the configuration file.

    4. Workaround

    Comment out all configuration pertaining to the malicious server.

    Note that this is not a full solution as transient network errors can
    also cause delays in querying other network servers, and it requires
    manual intervention to find out which server is malicious.

    5. Solution

    Upgrade your leafnode package to version 1.11.2.
    leafnode 1.11.2 is available from SourceForge:
    <http://sourceforge.net/project/showfiles.php?group_id=57767>

    Leafnode 1.X versions are deemed stable, and it is usually best to go
    for the latest released 1.X version to have all the other bug fixes as
    well.

    A. References

    leafnode home page: <http://leafnode.sourceforge.net/>

    END OF leafnode-SA-2005:01.fetchnews-crashes-on-timeout
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (GNU/Linux)

    iD8DBQFCeOjfvmGDOQUufZURAmX8AKCjHNY0If1VSN+Sedr8l1MFapRuowCff7mV
    EPQD1WBDzBMgmNCYVZjJz7M=
    =ObqW
    -----END PGP SIGNATURE-----


  • Next message: Pieter de Boer: "[VulnWatch] Local root vuln in VPN daemon on MacOS X"

    Relevant Pages

    • Re: Are there any other killer-apps like mc ?
      ... speaking of leafnode. ... vulnerabilities in the leafnode NNTP server package have been found: ... Two vulnerabilities in the fetchnews program can cause fetchnews to ...
      (comp.os.linux.misc)
    • pan set to localhost for leafnode?
      ... correct for interacting with leafnode. ... Pan seems to work fine when I enter my ISP's server ... shawnews.vc.shawcable.net: 0 articles posted. ... 169 ## read from groups with lots of postings. ...
      (news.software.readers)
    • Re: Leafnode
      ... Leafnode is a news server, not a mail server, so I'm going to read this ... When Knode requests the articles from the groups you subscribe to, ...
      (alt.os.linux.suse)
    • leafnode security announcement leafnode-SA-2005-01
      ... leafnode is a store-and-forward proxy for Usenet news, ... collaborating programs, the server part is usually started by inetd, ... Two vulnerabilities were found in the fetchnews program (the NNTP ... Note that this is not a full solution as transient network errors can ...
      (Bugtraq)
    • Re: How to connect server to usenet ?
      ... knows where can I find a good documentation about Inn server and Usenet? ... Consider using Leafnode instead. ... I run one for my home needs and one as our company news "proxy". ...
      (comp.os.linux.networking)