MDVSA-2012:156
- Package name
- inn
- Date
- 2012-10-02
- Advisory ID
- MDVSA-2012:156
- Affected versions
- 2011 i586 , 2011 x86_64
Problem description
A security issue was identified and fixed in ISC INN:
The STARTTLS implementation in INN's NNTP server for readers, nnrpd,
before 2.5.3 does not properly restrict I/O buffering, which allows
man-in-the-middle attackers to insert commands into encrypted sessions
by sending a cleartext command that is processed after TLS is in place,
related to a plaintext command injection attack, a similar issue to
CVE-2011-0411 (CVE-2012-3523).
The updated packages have been upgraded to inn 2.5.3 which is not
vulnerable to this issue.
Updated packages
2011 i586
0fdfb8541c9dde983ada87a196ecc45a 2011/i586/inews-2.5.3-0.1-mdv2011.0.i586.rpm 60e226fec04eaa464dbe7a5f2c593713 2011/i586/inn-2.5.3-0.1-mdv2011.0.i586.rpm 47326ed2fb59ccdbaa5e6328e09deb95 2011/i586/inn-devel-2.5.3-0.1-mdv2011.0.i586.rpm e42adcff2587362f39488faf96f9c496 2011/SRPMS/inn-2.5.3-0.1.src.rpm
2011 x86_64
f4824198caa2bbc317a14fd592bff6f7 2011/x86_64/inews-2.5.3-0.1-mdv2011.0.x86_64.rpm 7ac20f123163d73f1dc78757a6c1ed88 2011/x86_64/inn-2.5.3-0.1-mdv2011.0.x86_64.rpm eb416372f4e3cebd236a53c89c83eec5 2011/x86_64/inn-devel-2.5.3-0.1-mdv2011.0.x86_64.rpm e42adcff2587362f39488faf96f9c496 2011/SRPMS/inn-2.5.3-0.1.src.rpm