mailing list archives
Re: SNI-16: INN News Server Security Advisory (fwd)
From: davids () silence secnet com (David Sacerdote)
Date: Mon, 28 Jul 1997 17:10:56 -0600
Be aware the the SNI advisory is wrong on two counts here:
1. There is no "INN 1.6", at least not a released version. There
is an early beta test version of 1.6 available on the ISC ftp
site, but it is rather unstable and not at all a drop-in
replacement for 1.5.1. There is an active discussion on the
news.software.nntp newsgroup about this -- the current consensus
is that 1.6b1 is not suitable for use in anything but a testing
2. As of last friday, 25 Jul 97, the ISC has announced that they
will be making a set of patches for 1.5.1 available.
The information in the advisory is based on what the ISC told us prior to
its release. We provided the ISC with 160k of diffs against 1.5.0, well
in advance of the release of 1.5.1. They chose not to include them in the
1.5.1 release, and incorporated them into the latest beta.
When the ISC informed us that they would have a beta which included our
fixes availible, we released the advisory at approximately the time the
fixes were supposed to be available. At the time, James Brister, who
maintains INN for the ISC, informed us that there would be no patches for
versions earlier than 1.6.
Apparently, it has since transpired that INN 1.6beta1 is not as stable as
the ISC believed. Therefore, they have decided to release a set of
patches against 1.5.1.
The reason we posted is this. The overflows present in INN were trivial to
find. In fact, had they not been actively exploited in the wild before the
advisory, we would be *shocked*. Would you rather that nobody except
those who are interested in cracking your systems know about these
problems, or would you rather be properly appraised of the dangers of
- Re: SNI-16: INN News Server Security Advisory (fwd) David Sacerdote (Jul 28)