Gentoo Archives: gentoo-announce

From: Chris Reffett <creffett@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201401-24 ] INN: Man-in-the-middle attack
Date: Tue, 21 Jan 2014 20:56:58
Message-Id: 52DEDCF3.2030203@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201401-24
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Low
8 Title: INN: Man-in-the-middle attack
9 Date: January 21, 2014
10 Bugs: #432002
11 ID: 201401-24
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability in INN's STARTTLS implementation could allow a remote
19 attacker to conduct a man-in-the-middle attack.
20
21 Background
22 ==========
23
24 INN is a news server which can interface with Usenet.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-nntp/inn < 2.5.3 >= 2.5.3
33
34 Description
35 ===========
36
37 INN's I/O buffering is not correctly restricted.
38
39 Impact
40 ======
41
42 A remote attacker could inject commands into encrypted NNTP sessions.
43
44 Workaround
45 ==========
46
47 There is no known workaround at this time.
48
49 Resolution
50 ==========
51
52 All INN users should upgrade to the latest version:
53
54 # emerge --sync
55 # emerge --ask --oneshot --verbose ">=net-nntp/inn-2.5.3"
56
57 References
58 ==========
59
60 [ 1 ] CVE-2012-3523
61 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3523
62
63 Availability
64 ============
65
66 This GLSA and any updates to it are available for viewing at
67 the Gentoo Security Website:
68
69 http://security.gentoo.org/glsa/glsa-201401-24.xml
70
71 Concerns?
72 =========
73
74 Security is a primary focus of Gentoo Linux and ensuring the
75 confidentiality and security of our users' machines is of utmost
76 importance to us. Any security concerns should be addressed to
77 security@g.o or alternatively, you may file a bug at
78 https://bugs.gentoo.org.
79
80 License
81 =======
82
83 Copyright 2014 Gentoo Foundation, Inc; referenced text
84 belongs to its owner(s).
85
86 The contents of this document are licensed under the
87 Creative Commons - Attribution / Share Alike license.
88
89 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature