[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[leafnode-list] [Leafnode-announce] Leafnode 1.9.52.rel released (STABLE) - important bugfixes
-----BEGIN PGP SIGNED MESSAGE-----
leafnode 1.9.52.rel has been released.
Leafnode 1.9.52.rel fixes lots of bugs, see the detailed report below.
Among the bugs fixed are "texpire does not expire when a malicious user
has created hard links"(*), "fetchnews unsubscribes from low-traffic
groups", broken time zone handling, too wide ranges in article re-fetch
after abort and in NEWGROUPS handling, handling of upstream servers with
(*) No separate announcement will be issued because the exploitation of
this bug requires that the user has write access somewhere on the same
partition as the news spool lives in, so he has simpler means to fill up
the disk than instrumenting leafnode. Leafnode does not condone such
tricks however and not rely solely on the hard link count any more.
All users of older leafnode-1.9 series versions should update.
A binary RPM for Linux with glibc 2.2 and i486 or compatible processors
is provided. It also requires a package providing libpcre.so.0 and xinetd.
Leafnode 1.9.52 is or will become available in .tar.bz2 format from these sites:
o SourceForge -- also has binary RPM and upgrade source patch
o Dortmund University -- also has binary RPM, .tar.gz and upgrade source patch
o IBiblio/MetaLab (will take some days to pick up) -- has FTP sites
Check the system/news/transport directory
Not all sites carry all files, the .tar.bz2 is available everywhere,
the upgrade patch is available everywhere except IBiblio.
Below are file checksums and the NEWS file excerpt, with changes since
the previous release. The full ChangeLog ships with the tarballs and
can be viewed at http://home.pages.de/~mandree/leafnode/ChangeLog.txt
Matthias Andree, Leafnode maintainer
NEWS since previous release:
### SUMMARY OF IMPORTANT CHANGES
(these are detailed below)
+ Texpire is now robust against hard link attacks that try to prevent expiry.
+ Fetchnews has more complete timeout handling and a new timeout_fetchnews
global configuration option.
+ Low-traffic, subscribed groups will not expire any more.
+ Time zone handling was rewritten from scratch once again and dropped in all
places where it isn't essential, to fix complaints and bogus data.
+ A bug that cause excessive article considerations after a fetch had to be
aborted fixed was fixed.
+ only_groups_pcre fixes for crosspostings, adds a new option
+ A bug that caused active persistent re-downloads for upstreams running on a
non-standard server was fixed. The NEWGROUPS range now only spans the time
since the last fetchnews run.
+ Bugfixes were made to connecting to upstream servers with multiple IPs.
+ Quickmkdir is no longer part of the installation procedure. Leafnode
programs will create missing directories on their own.
+ The user account leafnode processes run under is now configurable at compile
time, to aid OpenBSD packaging.
### INCOMPATIBLE BUGFIXES AND CHANGES
+ Bugfix: "GROUP s" will now mark the group interesting iff it is interesting.
This avoids premature unsubscription from low-traffic groups.
Backported from leafnode-2. Reported by Oliver Brakmann.
+ Cleanup: Logging has been overhauled. It is now more consistent, prefixes
are the server or group name where applicable, prefixes error: for errors
and warning: for warnings. Timeout and other line reading problems now
appear in the debug log with "ERROR:" on the line for easy retrieval with
grep, the end of file is also logged as "< (EOF)". The "skipping (filename),
not complete" message was demoted from LOG_NOTICE to LOG_INFO severity
+ Change: fetchnews now uses timeout_fetchnews rather than timeout_client when
waiting for a server's NNTP status response.
(this includes a documentation fix provided by David Houlden)
+ Cleanup: Time zone information for generated headers was unreliable and has
been dropped. We'll create the Date: header in GMT.
+ Bugfix: checkgroups can now read the checkgroups file from a path relative
to the current working directory.
+ Bugfix: fetchnews will wait no more than five minutes (configurable through
the new timeout_fetchnews parameter) for a server response that is not a
+ Bugfix: fetchnews will not kill the group's high watermarks when it has to
abort the fetch. It will leave a snapshot file behind that is merged on the
next run for the server that failed.
The bug was introduced into 1.9.50 and discovered by Bastian Blank.
+ Bugfix: "server does not carry Newsgroups:" log message only printed the
first group name rather than all.
+ Bugfix: when posting, the first newsgroup in a Newsgroups:-header of a
cross-posted article that was NOT matched by only_groups_pcre stopped the
search for further articles that might still be on the server.
Reported by Joshua Crawford.
+ Bugfix: log exact reason why a fetchnews connection has failed.
+ Bugfix: try all IPs of a host even when the connection one of them failed.
+ Bugfix: send MODE READER first, then try to authenticate.
+ Bugfix: add missing error messages for NNTP connection and DATE reply
+ Bugfix: Proceed to next IP when a server name has multiple IPs attached when
the greeting doesn't arrive or the upstream runs NNTPcache V2.3.
+ Bugfix: Do not fetch the full newsgroup list on every fetchnews run when the
upstream runs on a non-standard port. Reported by Cory C. Albrecht and
confirmed by Joshua Crawford. This is a fix-up for a half-baked bugfix that
went into leafnode 1.9.29 that was supposed to support multiple servers with
the same name but different port (necessary for ssh tunnels for instance).
+ Bugfix: Plugged a memory leak, the memory allocated for a only_group_pcre
compiled PCRE was never freed.
+ Bugfix: "illegal" articles are truncated to zero size and no longer given
out, to avoid sending dangerous content to clients.
+ Bugfix: Zero-size check was not applied when an article was opened by
+ Bugfix: texpire relied on the hard link count to expire articles. Any user
could defeat expiry by creating a hard link to an article file, preventing
expiry of certain articles, so that the spool partition could fill up in the
long run. However, the user who can perform this attack can usually fill up
the disk directly (without instrumenting leafnode), so no security
announcement shall be issued. Code has been added to force expiry via the
Message-ID, rather than by hard link count.
+ Bugfix: the date check stopped working when DST was in effect.
Replaced by timegm() function from Heimdal/Kerberos IV, calculations are now
done in GMT rather than fiddling with the GMT offset.
Caused lots of bogus "check your system clock" warnings.
+ Bugfix: Do not fetch newgroups since last full active fetch, but rather
since last NEWGROUPS.
+ Bugfix: leafnode: do not send warnings (for instance about misconfiguration,
when maxage is too large) to stderr, some super servers send them to the
client. Reported by Martin Klaiber.
+ Cleanup: Some internal variables have been renamed to avoid name clashes
with library functions (Ralf Wildenhues).
+ Cleanup: getline.c now includes string.h to avoid compiler warnings
+ Cleanup: After connection failure, the connection is properly shutdown with
nntpdisconnect() or nntpquit() rather than a half-baked shutdown(2).
+ Portability: quickmkdir will not start the file name with a double slash.
Patch sent by A. Alper Atici.
+ Feature: The fetchnews server respone timeout is now independent of nntpd's
+ Feature: New server option only_groups_match_all to make only_groups_pcre
more restrictive with respect to posting, with this option on, ALL groups of
a crossposting must match the PCRE rather than ANY before a post goes to the
server that defines this option.
+ Feature: fetchnews supports a new -w option to force the XOVER updater
process to run in the foreground rather than detached.
+ Portability: The user and group name that used to be hardcoded to "news" are
now configurable, to support the OpenBSD policy of prefixing daemon and
system users with an underscore character, "_". Use --with-user and
--with-group options to ./configure.
Based on patches by Cory C. Albrecht.
+ Documentation: README now explains the difference between news.debug and
news.=debug in syslog.conf and recommends the former.
+ Safety: multiple configurations for the same server and port now cause an
abort. Leafnode cannot handle fetching for multiple users per single server.
+ Consistency: debugmode >= 1 now logs sent NNTP commands. (debugmode = 2 was
needed before for sent commands and = 1 for received replies)
+ Consistency: all leafnode processes will now generate needed directories
on start-up. This effectively eliminates the need for quickmkdir, which
will continue to be built in order not to break existing packaging scripts.
Also helps Cygwin portability (which requires further patches that do not
ship with leafnode and are currently maintained by A. Alper Atici).
+ Feature: debugmode >= 2 now logs - at LOG_DEBUG priority - decisions why an
article is posted or skipped for a particular server in the light of
+ Efficiency: the migrate() function caused a lot of unnecessary chdir()
+ Cleanup: The signal causing fetchnews to abort will now be logged.
+ Cleanup: suppress 'found no server with posting permission' in fetchnews
when one or more servers have not been queried, suggested by Al Bogner.
+ Cleanup: when any server has not been queried by fetchnews, print a warning
(unless -q is given) and log it.
+ Cleanup: suppress 'backing up from 1 to 12345' style messages in fetchnews.
+ Cleanup: texpire will now fix the group low water marks for pseudo groups,
so that LIST ACTIVE output matches GROUP output.
+ Cleanup: config.example: The expire line is first, before the server line.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
Leafnode-announce mailing list
leafnode-list mailing list