mailing list archives
Re: Security problem in C news and INN
From: casper () fwi uva nl (Casper Dik)
Date: Thu, 24 Feb 94 09:54:54 +0100
Maybe I'm the last person on the planet to realize this..... is it common
knowledge that there's a *major* security hole in both C news performance
release, and old versions of INN?
If anyone doesn't know what I'm talking about, then you may want to disable
newgroup and checkgroups processing from C news (performance release), and
disable processing of ALL control messages except cancel from INN. Disable
them <completely>, best with an "exit 0" at the first line of all
appropriate scripts. Do not attempt to interpret or process these articles
in any way. Don't do _anything_ with these articles except ignore them.
This is overkill, but anything more specific would be too much of a
If you use INN, you can get inn1.4.sec from ftp.uu.net.
It fixes this problem.
I'm not sure that disabling all control messages except cancel
Re: syslog/udp Jim Duncan (Feb 24)