Date: Tue, 6 Jun 2000 22:32:23 -0300 From: Sergio Bruder <bruder@conectiva.com.br> To: bugtraq@securityfocus.com, bos-br@sekure.org, lwn@lwn.net Subject: Conectiva Linux security announcement - inn CONECTIVA LINUX SECURITY ANNOUNCEMENT This message is automatically sent to the announcement list. Information regarding this list can be found in http://www.conectiva.com.br/atualizacoes This announcement reports a problem found with a packet or component of Conectiva Linux and instructions on how to fix it. The information reported in this mail can be freely distributed, as long as its contents are not modified. ---------------------------------------------------------------------- PACKAGE: inn SUMMARY : Buffer overflow in news server DATE : 2000-JUN-06 CONECTIVA VERSIONS: 4.0, 4.1, 4.2 and 5.0 DESCRIPTION A buffer overflow has been found in the news server inn up to version 2.2.2. If the "verifycancels" option in the /etc/news/inn.conf file is set to "true", then the server is vulnerable to this problem. The package shipped with Conectiva Linux has this option activated and is therefore vulnerable. SOLUTION The option "verifycancels" should be set to "false". If this feature is needed, then the package must be updated otherwise the server will be vulnerable. Our updated packages have this option set to "false". The updated packages are being sent to our ftp right now. Packages for "edição servidor 1.0" and "guarani" will follow shortly. ---------------------------------------------------------------------- RPM PACKAGES i386/inews-2.2.2-3cl.i386.rpm i386/inn-devel-2.2.2-3cl.i386.rpm i386/inn-2.2.2-3cl.i386.rpm Update directories: ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0 ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1 ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2 ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0 Direct links to the packages: ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inews-2.2.2-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inn-2.2.2-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inn-devel-2.2.2-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inews-2.2.2-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inn-2.2.2-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inn-devel-2.2.2-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inews-2.2.2-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inn-2.2.2-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inn-devel-2.2.2-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inews-2.2.2-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inn-2.2.2-3cl.i386.rpm ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inn-devel-2.2.2-3cl.i386.rpm ---------------------------------------------------------------------- All the packages listed here are signed with our PGP key. You can get this key at http://www.conectiva.com.br/conectiva/contato.html Information on how to install and/or update packages, and mirror sites, can be found at http://www.conectiva.com.br/atualizacoes ---------------------------------------------------------------------- subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br