[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[leafnode-list] [Leafnode-announce] Leafnode 1.9.48.rel released - SECURITY FIXES - (STABLE)

To: leafnode-announce@xxxxxxxxxxxxxxxxxxxxx
Subject: [leafnode-list] [Leafnode-announce] Leafnode 1.9.48.rel released - SECURITY FIXES - (STABLE)
From: Matthias Andree <matthias.andree@xxxxxx>
Date: Fri, 9 Jan 2004 03:00:29 +0100
List-id: Discussions on the Leafnode Usenet software package <leafnode-list.dt.e-technik.uni-dortmund.de>
Reply-to: leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Sender: leafnode-list-bounces@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.5.1i

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                ----------------------------------------
                 leafnode 1.9.48.rel has been released.
                ----------------------------------------
                    http://leafnode.sourceforge.net/

Leafnode 1.9.48 fixes a "fetchnews hangs" security bug that has been
present in some versions since 1.9.33 at the latest.
No privilege escalation is possible, but fetchnews can be denied
service, depending on local leafnode version and configuration, by
placing a non-conforming article on a news server that fetchnews fetches
from.

All users of older leafnode-1.9 series versions ought to update.


A binary RPM for Linux with glibc 2.2 and i486 or compatible processors
is provided. It also requires a package providing libpcre.so.0 and xinetd.


There are two mailing lists:

1. this very low traffic announcements list (moderated)
   http://lists.sourceforge.net/lists/listinfo/leafnode-announce

2. a moderate traffic user discussion list (free posting to subscribers)
   http://www.dt.e-technik.uni-dortmund.de/mailman/listinfo/leafnode-list


Leafnode 1.9.48 is or will become available in .tar.bz2 format from these sites:

o SourceForge -- this site also carries patches to upgrade
   http://sourceforge.net/projects/leafnode/
   http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=208614
   rsync://osdn.dl.sourceforge.net/sourceforge/leafnode/

   Patch:
   http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=208615

o Dortmund University -- this site also carries .tar.gz tarballs
    http://mandree.home.pages.de/leafnode/
    rsync://www.dt.e-technik.uni-dortmund.de/leafnode-1/

o IBiblio/MetaLab (will take some days to pick up) -- has FTP sites
    http://ibiblio.org/pub/Linux/MIRRORS.html
    Check the system/news/transport directory

Not all sites carry all files, the .tar.bz2 is available everywhere,
the upgrade patch is available everywhere except IBiblio.


SHA1 checksums:
8969951b4c31ab27594da20aa7fbf3fb9f2de45c *leafnode-1.9.48.rel.tar.bz2
f6e1499709d80616b3f10e546021b1899ce9dba2 *leafnode-1.9.48.rel.tar.gz
8e88b79f38eba76f3828dd4a99ecdcb96258b3f5 *upgrade-1.9.47-to-1.9.48.diff.gz

MD5 checksums:
629f5d4cd8eb6c2140ac7b3684c3085a *leafnode-1.9.48.rel.tar.bz2
d0d6de14a4799dfcd5eef49ac7be5844 *leafnode-1.9.48.rel.tar.gz
5aea6281761cafb1f391df1a89a0aaff *upgrade-1.9.47-to-1.9.48.diff.gz

File sizes:
665709 leafnode-1.9.48.rel.tar.bz2
829079 leafnode-1.9.48.rel.tar.gz
  3241 upgrade-1.9.47-to-1.9.48.diff.gz

The .bz2 format is used by the OpenSource bzip2 compressor that is
available from http://sources.redhat.com/bzip2/

Below is the NEWS file excerpt, with changes since leafnode-1.9.47.rel.
The full ChangeLog ships with the tarballs and can be viewed at
http://mandree.home.pages.de/leafnode/ChangeLog.txt

Have fun,
Matthias Andree, Leafnode maintainer

>-----------------------------------------------------------------------------
### SECURITY BUGFIX
o Fetchnews: when a. minlines=0 (default) and b. delaybody=0 (default) and
  either c. no filterfile is configured (default) or a. and b. and d.
  article_despite_filter=1 are configured, an article with missing mandatory
  headers and without body can hang fetchnews and/or prevent the fetch of
  further articles from the current group or server.
  Reported by Toni Viemerö, SourceForge bug 873149.
  This was a denial-of-service bug, not one that could lead to local or remote
  privilege escalation.

### BUGFIX
o Fetchnews: log group name when articles are skipped that match the minlines,
  maxlines, maxbytes or age filters, for more consistent logging.

### CHANGES
o Rebuilt with autoconf 2.59.
>-----------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQE//gs5vmGDOQUufZURAqqKAKDEftUIcfSp1FzqCOPTd16TxWPmkQCeJ2qo
T3yTMBZU70Lco8WsUli7rhc=
=SrgU
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Leafnode-announce mailing list
Leafnode-announce@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/leafnode-announce
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id210
-- 
_______________________________________________
leafnode-list mailing list
leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
http://www.dt.e-technik.uni-dortmund.de/mailman/listinfo/leafnode-list
http://leafnode.sourceforge.net/

Prev by Date: [leafnode-list] [Leafnode-announce] leafnode -1.9.47 security announcement SA-2004-01
Next by Date: [leafnode-list] Re: [Leafnode-announce] Leafnode 1.9.48.rel released - SECURITY FIXES - (STABLE)
Previous by thread: [leafnode-list] [Leafnode-announce] leafnode -1.9.47 security announcement SA-2004-01
Next by thread: [leafnode-list] Re: [Leafnode-announce] Leafnode 1.9.48.rel released - SECURITY FIXES - (STABLE)
Index(es):
- Date
- Thread