[LWN Logo]

Date: Tue, 6 Jun 2000 22:32:23 -0300
From: Sergio Bruder <bruder@conectiva.com.br>
To: bugtraq@securityfocus.com, bos-br@sekure.org, lwn@lwn.net
Subject: Conectiva Linux security announcement - inn 


CONECTIVA LINUX SECURITY ANNOUNCEMENT

This message is automatically sent to the announcement list.
Information regarding this list can be found in
http://www.conectiva.com.br/atualizacoes

This announcement reports a problem found with a packet or
component of Conectiva Linux and instructions on how to fix it.

The information reported in this mail can be freely distributed,
as long as its contents are not modified.

----------------------------------------------------------------------

PACKAGE: inn

SUMMARY	          : Buffer overflow in news server 
DATE	          : 2000-JUN-06
CONECTIVA VERSIONS: 4.0, 4.1, 4.2 and 5.0


DESCRIPTION
A buffer overflow has been found in the news server inn up to
version 2.2.2. If the "verifycancels" option in the
/etc/news/inn.conf file is set to "true", then the server is
vulnerable to this problem. The package shipped with Conectiva
Linux has this option activated and is therefore vulnerable.


SOLUTION
The option "verifycancels" should be set to "false". If this
feature is needed, then the package must be updated otherwise
the server will be vulnerable.

Our updated packages have this option set to "false".

The updated packages are being sent to our ftp right now.
Packages for "edição servidor 1.0" and "guarani" will
follow shortly.

----------------------------------------------------------------------
RPM PACKAGES
i386/inews-2.2.2-3cl.i386.rpm
i386/inn-devel-2.2.2-3cl.i386.rpm
i386/inn-2.2.2-3cl.i386.rpm


Update directories: 
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0



Direct links to the packages: 
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inews-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inn-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inn-devel-2.2.2-3cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inews-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inn-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inn-devel-2.2.2-3cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inews-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inn-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inn-devel-2.2.2-3cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inews-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inn-2.2.2-3cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inn-devel-2.2.2-3cl.i386.rpm

----------------------------------------------------------------------

All the packages listed here are signed with our PGP key. You can
get this key at http://www.conectiva.com.br/conectiva/contato.html

Information on how to install and/or update packages, and mirror
sites, can be found at http://www.conectiva.com.br/atualizacoes

----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br