Date: Tue, 7 Sep 1999 13:30:00 +0200 (CEST) From: joey@finlandia.Infodrom.North.DE (Martin Schulze) To: debian-security-announce@lists.debian.org (Debian Security Announcements) Subject: [SECURITY] New versions of INN fixes "news" exploit -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------------- Debian Security Advisory security@debian.org http://www.debian.org/security/ Martin Schulze September 7, 1999 - ---------------------------------------------------------------------------- We have a report covering a buffer overflow in the inews program as provided by the INN news server. This program is used by local clients to inject news articles to the server. In order to be able to connect to the news server through a Unix domain socket it needs to run setgid "news". Exploiting this bug local users woule gain "news" privileges. After that they are able to modify the configuration for the INN server as well as destroy News databases and files. We recommend you upgrade your inews-inn package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.1 alias slink - -------------------------------- This version of Debian was released only for the Intel, the Motorola 68xxx, the alpha and the Sun sparc architecture. However, the alpha architecture didn't provide an INN package. Source archives: http://security.debian.org/dists/stable/updates/source/inn_1.7.2-4.1.diff.gz MD5 checksum: f390efec27637bb3d5cd53451a2ba65c http://security.debian.org/dists/stable/updates/source/inn_1.7.2-4.1.dsc MD5 checksum: ec896efa2c7fbe1aca281ab6772d9abe http://security.debian.org/dists/stable/updates/source/inn_1.7.2.orig.tar.gz MD5 checksum: f8b569ef42bb553dab7af5513bf483aa Intel ia32 architecture: http://security.debian.org/dists/stable/updates/binary-i386/inewsinn_1.7.2-4.1_i386.deb MD5 checksum: e8af9fe66b95da403230c2d4443cfe35 http://security.debian.org/dists/stable/updates/binary-i386/inn-dev_1.7.2-4.1_i386.deb MD5 checksum: 46d80892430881d7c6c457a1432b4c31 http://security.debian.org/dists/stable/updates/binary-i386/inn_1.7.2-4.1_i386.deb MD5 checksum: 7c63df29c5738ae27d12bcb3edd5535f Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/binary-m68k/inewsinn_1.7.2-4.1_m68k.deb MD5 checksum: 38a7c7c28bfb91a6589aba6856d1a235 http://security.debian.org/dists/stable/updates/binary-m68k/inn-dev_1.7.2-4.1_m68k.deb MD5 checksum: 1c838c021a852596181014b4dd11aae5 http://security.debian.org/dists/stable/updates/binary-m68k/inn_1.7.2-4.1_m68k.deb MD5 checksum: 720a757f190bf251465fc5d9d05fb041 Sun Sparc architecture: http://security.debian.org/dists/stable/updates/binary-sparc/inewsinn_1.7.2-4.1_sparc.deb MD5 checksum: 5ccb952a839a84ab9009836877c80a4d http://security.debian.org/dists/stable/updates/binary-sparc/inn-dev_1.7.2-4.1_sparc.deb MD5 checksum: 63789ec335c7adda7528d82900d61e4c http://security.debian.org/dists/stable/updates/binary-sparc/inn_1.7.2-4.1_sparc.deb MD5 checksum: d738c7f83a15856286354380b044d536 Debian GNU/Linux pre2.2 alias potato - ------------------------------------ Source archives: http://security.debian.org/dists/unstable/updates/source/inn_1.7.2.orig.tar.gz MD5 checksum: f8b569ef42bb553dab7af5513bf483aa http://security.debian.org/dists/unstable/updates/source/inn_1.7.2-11.diff.gz MD5 checksum: 2ec0d842fed6c4ef59de277733190738 http://security.debian.org/dists/unstable/updates/source/inn_1.7.2-11.dsc MD5 checksum: 138bddce53fd1ded38a46fba6a96b32c Alpha architecture: http://security.debian.org/dists/unstable/updates/binary-alpha/inewsinn_1.7.2-11_alpha.deb MD5 checksum: c8f58a885d85e4d7cc969df52fc8a8f4 http://security.debian.org/dists/unstable/updates/binary-alpha/inn-dev_1.7.2-11_alpha.deb MD5 checksum: d80226ba4d80a14c3b2e016caf99de53 http://security.debian.org/dists/unstable/updates/binary-alpha/inn_1.7.2-11_alpha.deb MD5 checksum: 5dfccb7c9b15599c06d09a85e46c91e5 ARM architecture: http://security.debian.org/dists/unstable/updates/binary-arm/inewsinn_1.7.2-11_arm.deb MD5 checksum: ee521e7c5c9190b4f2062d81eaf9077c http://security.debian.org/dists/unstable/updates/binary-arm/inn-dev_1.7.2-11_arm.deb MD5 checksum: 63903547ad0255cd157aa48594e040e6 http://security.debian.org/dists/unstable/updates/binary-arm/inn_1.7.2-11_arm.deb MD5 checksum: 4369dda02495f0aaf126049ebeee3992 Intel ia32 architecture: http://security.debian.org/dists/unstable/updates/binary-i386/inewsinn_1.7.2-11_i386.deb MD5 checksum: c69b719ecbaab0703e576b77186b271a http://security.debian.org/dists/unstable/updates/binary-i386/inn-dev_1.7.2-11_i386.deb MD5 checksum: 248b439045b860acc2d1890e8f6b0f5c http://security.debian.org/dists/unstable/updates/binary-i386/inn_1.7.2-11_i386.deb MD5 checksum: c1868b74810c5158a29846f6123c972d Motorola 680x0 architecture: http://security.debian.org/dists/unstable/updates/binary-m68k/inewsinn_1.7.2-11_m68k.deb MD5 checksum: c220190df2517eae2d88103f056b0a16 http://security.debian.org/dists/unstable/updates/binary-m68k/inn-dev_1.7.2-11_m68k.deb MD5 checksum: 141b786979c37ce268844507d2311b99 http://security.debian.org/dists/unstable/updates/binary-m68k/inn_1.7.2-11_m68k.deb MD5 checksum: caf20157c31f3ee8affae4ae534494b5 PowerPC architecture: http://security.debian.org/dists/unstable/updates/binary-powerpc/inewsinn_1.7.2-11_powerpc.deb MD5 checksum: 86155c15e9354397127de54953687708 http://security.debian.org/dists/unstable/updates/binary-powerpc/inn-dev_1.7.2-11_powerpc.deb MD5 checksum: 75adc804b2cd683313837a8e2458b94e http://security.debian.org/dists/unstable/updates/binary-powerpc/inn_1.7.2-11_powerpc.deb MD5 checksum: 3fe559ccee892aeac719b061260c4975 Sun Sparc architecture: http://security.debian.org/dists/unstable/updates/binary-sparc/inewsinn_1.7.2-11_sparc.deb MD5 checksum: 3992a3513c1b7c9acdc9d9a507177f57 http://security.debian.org/dists/unstable/updates/binary-sparc/inn-dev_1.7.2-11_sparc.deb MD5 checksum: 3147dc1de268fb79d8550b1e98268dae http://security.debian.org/dists/unstable/updates/binary-sparc/inn_1.7.2-11_sparc.deb MD5 checksum: 1716450113c13ac880a2455b75396d14 - ---------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable updates For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBN9T3NxRNm5Suj3z1AQGo+QP+NfZYuls2wxuzCblyqL899cOvU3U/f18v fYmcJIW3aY8xvh0h+AmcFL0DFnz6+2IEpkuLLDjHz4EBJoMii1yr1xovzwUuIf1b 2j5PV8bEN8dH2LWeqBc+05QhYm3o6RbXqdqpdtva2eT5/dKr5gOOsj1+Zu4FgpT5 0aEBhso7IWo= =CAEn -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org