Debian Bug report logs -
#685581
inn: CVE-2012-3523 prone to STARTTLS plaintext command injection
Reported by: Henri Salo <henri@nerv.fi>
Date: Wed, 22 Aug 2012 05:39:02 UTC
Severity: grave
Fixed in version inn2/2.5.3-1
Done: Henri Salo <henri@nerv.fi>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#685581; Package inn.
(Wed, 22 Aug 2012 05:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Marco d'Itri <md@linux.it>.
(Wed, 22 Aug 2012 05:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: inn
Version: 1.7.2q-41
Severity: grave
From oss-security mailing list:
the STARTTLS implementation in INN's NNTP server for readers,
nnrpd, before 2.5.3 does not properly restrict I/O buffering,
which allows man-in-the-middle attackers to insert commands
into encrypted sessions by sending a cleartext command that
is processed after TLS is in place, related to a "plaintext
command injection" attack, a similar issue to CVE-2011-0411.
References:
[1] https://www.isc.org/software/inn/2.5.3article
[2] https://bugs.gentoo.org/show_bug.cgi?id=432002
[3] https://bugzilla.redhat.com/show_bug.cgi?id=850478
Relevant upstream patch
(the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part):
[4] ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz
http://www.openwall.com/lists/oss-security/2012/08/21/8
http://www.openwall.com/lists/oss-security/2012/08/21/12
- Henri Salo
Bug reassigned from package 'inn' to 'inn2'.
Request was from Marco d'Itri <md@linux.it>
to control@bugs.debian.org.
(Wed, 22 Aug 2012 09:24:08 GMT) (full text, mbox, link).
No longer marked as found in versions 1.7.2q-41.
Request was from Marco d'Itri <md@linux.it>
to control@bugs.debian.org.
(Wed, 22 Aug 2012 09:24:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#685581; Package inn2.
(Wed, 29 Aug 2012 20:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien ÉLIE <julien@trigofacile.com>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(Wed, 29 Aug 2012 20:09:08 GMT) (full text, mbox, link).
Message #14 received at 685581@bugs.debian.org (full text, mbox, reply):
Hi all,
> Package: inn
> Version: 1.7.2q-41
> Severity: grave
> the STARTTLS implementation in INN's NNTP server for readers, nnrpd,
> before 2.5.3 does not properly restrict I/O buffering, which allows
> man-in-the-middle attackers to insert commands into encrypted
> sessions by sending a cleartext command that is processed after TLS
> is in place, related to a "plaintext command injection" attack, a
> similar issue to CVE-2011-0411.
> reassign 685581 inn2
I see that this bug report has been reassigned to the inn2 package.
Yet, it is not present in the latest 2.5.3-1 inn2 package. Shouldn't
the bug be closed for inn2 then?
Or does it mean that a security release should be made for previous
versions still maintained by the Debian project?
And... as for inn 1.7.2, I think it does not support STARTTLS, right? (I
have not checked.)
The feature was added in INN 2.3.0.
> Relevant upstream patch
> (the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part)
The complete patch deals with more files than nnrpd/misc.c; the relevant
patch is:
http://inn.eyrie.org/trac/changeset/9259
I hope this commit #9259 will be of help!
--
Julien ÉLIE
« – Nous parlerons quand l'interprète dormira. [Bong !]
– Il dort. On peut parler. » (Astérix)
Information forwarded
to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#685581; Package inn2.
(Thu, 30 Aug 2012 09:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(Thu, 30 Aug 2012 09:15:03 GMT) (full text, mbox, link).
Message #19 received at 685581@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Aug 29, Julien ÉLIE <julien@trigofacile.com> wrote:
> Or does it mean that a security release should be made for previous
> versions still maintained by the Debian project?
It should be, yes. (At least, if you think that it should be fixed.)
> And... as for inn 1.7.2, I think it does not support STARTTLS,
> right? (I have not checked.)
Yes.
--
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]
Marked as fixed in versions inn2/2.5.3-1.
Request was from Marco d'Itri <md@linux.it>
to control@bugs.debian.org.
(Thu, 30 Aug 2012 09:15:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#685581; Package inn2.
(Sun, 02 Sep 2012 14:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien ÉLIE <julien@trigofacile.com>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(Sun, 02 Sep 2012 14:54:03 GMT) (full text, mbox, link).
Message #26 received at 685581@bugs.debian.org (full text, mbox, reply):
Hi Marco,
>> Or does it mean that a security release should be made for previous
>> versions still maintained by the Debian project?
> It should be, yes. (At least, if you think that it should be fixed.)
I do not believe taking time to fix it on older versions of INN is
worthwhile. Not much harm can be done in NNTP when this security hole
is exploited. Usually, authentication and/or host checks are required
for sensitive newsgroups. (Also note that once a user has been
authenticated, STARTTLS is no longer available.)
If other people think this vulnerability can be harmful, please speak up!
--
Julien ÉLIE
« – Nous parlerons quand l'interprète dormira. [Bong !]
– Il dort. On peut parler. » (Astérix)
Reply sent
to Henri Salo <henri@nerv.fi>:
You have taken responsibility.
(Thu, 21 Feb 2013 20:12:04 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Thu, 21 Feb 2013 20:12:04 GMT) (full text, mbox, link).
Message #31 received at 685581-done@bugs.debian.org (full text, mbox, reply):
Closing as non-important issue. Please contact me in case you need this package
backported to squeeze.
--
Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#685581; Package inn2.
(Fri, 22 Feb 2013 12:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(Fri, 22 Feb 2013 12:18:04 GMT) (full text, mbox, link).
Message #36 received at 685581@bugs.debian.org (full text, mbox, reply):
Package: inn2
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/685581/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org, Marco d'Itri <md@linux.it>:
Bug#685581; Package inn2.
(Fri, 22 Feb 2013 12:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Marco d'Itri <md@linux.it>.
(Fri, 22 Feb 2013 12:57:03 GMT) (full text, mbox, link).
Message #41 received at 685581@bugs.debian.org (full text, mbox, reply):
On 2013-02-22 12:18, owner@bugs.debian.org wrote:
> Thank you for the additional information you have supplied regarding
> this Bug report.
Ah, this happened automatically because the bug was closed. There is no
need to prepare stable packages unless stable is affected.
Thanks,
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 23 Mar 2013 07:29:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:47:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon