Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Security problem in C news and INN
From: casper () fwi uva nl (Casper Dik)
Date: Thu, 24 Feb 94 09:54:54 +0100

Maybe I'm the last person on the planet to realize this.....  is it common
knowledge that there's a *major* security hole in both C news performance
release, and old versions of INN?

If anyone doesn't know what I'm talking about, then you may want to disable
newgroup and checkgroups processing from C news (performance release), and
disable processing of ALL control messages except cancel from INN.  Disable
them <completely>, best with an "exit 0" at the first line of all
appropriate scripts.  Do not attempt to interpret or process these articles
in any way.  Don't do _anything_ with these articles except ignore them.
This is overkill, but anything more specific would be too much of a

If you use INN, you can get inn1.4.sec from ftp.uu.net.
It fixes this problem.
I'm not sure that disabling all control messages except cancel
actually works.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]