Package name
Advisory ID
Affected versions
2011 i586 , 2011 x86_64

Problem description

A security issue was identified and fixed in ISC INN:

The STARTTLS implementation in INN's NNTP server for readers, nnrpd,
before 2.5.3 does not properly restrict I/O buffering, which allows
man-in-the-middle attackers to insert commands into encrypted sessions
by sending a cleartext command that is processed after TLS is in place,
related to a plaintext command injection attack, a similar issue to
CVE-2011-0411 (CVE-2012-3523).

The updated packages have been upgraded to inn 2.5.3 which is not
vulnerable to this issue.

Updated packages

2011 i586

 0fdfb8541c9dde983ada87a196ecc45a  2011/i586/inews-2.5.3-0.1-mdv2011.0.i586.rpm
 60e226fec04eaa464dbe7a5f2c593713  2011/i586/inn-2.5.3-0.1-mdv2011.0.i586.rpm
 47326ed2fb59ccdbaa5e6328e09deb95  2011/i586/inn-devel-2.5.3-0.1-mdv2011.0.i586.rpm 
 e42adcff2587362f39488faf96f9c496  2011/SRPMS/inn-2.5.3-0.1.src.rpm

2011 x86_64

 f4824198caa2bbc317a14fd592bff6f7  2011/x86_64/inews-2.5.3-0.1-mdv2011.0.x86_64.rpm
 7ac20f123163d73f1dc78757a6c1ed88  2011/x86_64/inn-2.5.3-0.1-mdv2011.0.x86_64.rpm
 eb416372f4e3cebd236a53c89c83eec5  2011/x86_64/inn-devel-2.5.3-0.1-mdv2011.0.x86_64.rpm 
 e42adcff2587362f39488faf96f9c496  2011/SRPMS/inn-2.5.3-0.1.src.rpm