[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[leafnode-list] [Leafnode-announce] Leafnode 1.11.3.rel released (STABLE) -SECURITY UPDATE-



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                ----------------------------------------
                 leafnode 1.11.3.rel has been released.
                ----------------------------------------
                    http://leafnode.sourceforge.net/

.------------------------------------------------------------------.
| If you like leafnode, please consider donating - voluntarily     |
| Donate via https://sourceforge.net/donate/index.php?user_id=2788 |
`------------------------------------------------------------------'

Version 1.11.3 is an update that fixes one security bug where a
malicious remote server can hang fetchnews.


A binary RPM for Linux with glibc 2.2 and i486 or compatible processors
is provided. It also requires packages providing libpcre.so.0 and xinetd.

This version is or will become available in .tar.bz2 format from these sites:

o SourceForge -- Source .tar.bz2 and i486 Linux RPM
   http://sourceforge.net/projects/leafnode/
   http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=333578
   rsync://osdn.dl.sourceforge.net/sourceforge/l/le/leafnode/

o Dortmund University -- Source .tar.bz2, .tar.gz, upgrade patch, i486 Linux RPM
   http://home.pages.de/~mandree/leafnode/
   rsync://www.dt.e-technik.uni-dortmund.de/leafnode-1/

o IBiblio/MetaLab (will take some days to pick up) -- has FTP sites
   http://ibiblio.org/pub/Linux/MIRRORS.html
   Check the system/news/transport directory

Not all sites carry all file types (.tar.bz2, .tar.gz, .rpm).

Below are file checksums and the NEWS file excerpt, with changes since
the previous release.  The full ChangeLog ships with the tarballs and
can also be viewed at http://home.pages.de/~mandree/leafnode/ChangeLog.txt

Have fun,
Matthias Andree, Leafnode maintainer

SHA1 checksums:
6910f05c0fa4b1bb5a4baaa6e6fd529fef5ece22 *leafnode-1.11.3.rel.tar.bz2
b17fc6b361c499f35dda707dfea37e9342dcfe03 *leafnode-1.11.3.rel.tar.gz
9fbd51f861749af44646809713df2a1d839a0ab8 *upgrade-1.11.2-to-1.11.3.diff.gz

MD5 checksums:
3360247f3cebf3c8cc5accf182cd4bcd *leafnode-1.11.3.rel.tar.bz2
e6494a9c01a9a21734d0c8a0662ec1eb *leafnode-1.11.3.rel.tar.gz
b48d0ec3bb5b112bd948b08132c8db77 *upgrade-1.11.2-to-1.11.3.diff.gz

File sizes:
506217 leafnode-1.11.3.rel.tar.bz2
581429 leafnode-1.11.3.rel.tar.gz
 36391 upgrade-1.11.2-to-1.11.3.diff.gz

>-----------------------------------------------------------------------------
### SECURITY BUGFIXES
o Fetchnews did not detect timeouts while it was downloading an article
  header, which malicious upstream servers could exploit to mount a denial of
  service attack against the fetchnews client. See leafnode-SA-2005-02.txt.
  CVE Name: CAN-2005-1911

### BUGFIXES
o Bugfix sed expression in makesubst script.  (Reported by Jeff Zacharias.)

### CHANGES
o texpire now tags the message.id expired count with "message.id" rather than
  "total:" to avoid misleading the user who assumes that "total:" would have
  to be the sum of the group counts. See also the FAQ change below.
  SourceForge bug #1215453.
o When debugmode and verbose mode are set, leafnode programs now print a
  warning to stdout that the user should check syslog.conf and the syslog
  output rather than the screen print for debugging and sleeps for three
  seconds.

### DOCUMENTATION
o Add FAQ entry to explain discrepancies between texpire group counts and
  message.id expired articles counts.
o Add FAQ entry to explain influence of Gnus' gnus-read-active-file setting 
  on lost subscriptions, and extend stop fetchnews from unsubscribing FAQ.
  Debian bug #307685.
o Drop FAQ entry on license issues as some parts of leafnode are in fact GPLd.
o Drop FAQ entry on why old articles aren't posted, obsolete since 1.9.33.
o INSTALL and INSTALL_de have been polished.
o Add a hint that syslog.conf must be edited to config.example.
o leafnode(8) mentions that LIST ACTIVE keeps an existing subscription fresh.
>-----------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCp2fIvmGDOQUufZURAqgOAJ4yroHatwqwOTAtnTMdsEgfxaVglwCgv7BT
XeRnQyElB+p2WKDfrnNXyAo=
=sMm0
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
Leafnode-announce mailing list
Leafnode-announce@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/leafnode-announce
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=10210
-- 
_______________________________________________
leafnode-list mailing list
leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
http://www.dt.e-technik.uni-dortmund.de/mailman/listinfo/leafnode-list
http://leafnode.sourceforge.net/