Your message dated Mon, 17 Apr 2006 17:41:10 -0700 with message-id <[EMAIL PROTECTED]> and subject line Bug#338886: fixed in leafnode 1.11.2.rel-1.0sarge0 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: leafnode Version: 1.11.2.rel-1 Severity: grave Tags: security upstream confirmed fixed-upstream Leafnode 1.11.2 contains a denial of service bug, fixed in subsequent versions. Find below the full security announcement. Please fix. Thank you, -- Matthias ----------------------------------------------------------------------- leafnode-SA-2005:02.fetchnews-hangs-on-header Topic: potential denial of service in leafnode Announcement: leafnode-SA-2005:02 Author: Matthias Andree Version: 1.00 Announced: 2005-06-08 Category: main Type: potential denial of service Impact: fetchnews hangs, no new fetchnews/texpire processes can be started Credits: Adam Funk (bug report) Danger: medium: - no build-up of memory consumption - no privilege escalation through this bug - malicious upstream server can be unlisted CVE Name: CVE-2005-1911 URL: http://leafnode.sourceforge.net/leafnode-SA-2005-02.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1911 Affects: leafnode versions up to and including 1.11.2 Not affected: leafnode 1.11.3 Default install: affected. Corrected: 2005-06-08 14:06 UTC (CVS) - committed corrected version 2005-06-08 leafnode 1.11.3 released 0. Release history 2005-06-08 1.00 initial announcement 1. Background leafnode is a store-and-forward proxy for Usenet news, is uses the network news transfer protocol (NNTP). It consists of several collaborating programs, the server part is usually started by inetd, xinetd or tcpserver, the client part is usually started by cron, a PPP post-connect script or manually. This security announcement pertains to leafnode-1, the stable branch. The leafnode-2 development branch is not subject to security announcements. 2. Problem description A vulnerability was found in the fetchnews program (the NNTP client) that may under some circumstances cause a wait for input that never arrives, fetchnews "hangs". This hang does not cost CPU. 3. Impact As only one fetchnews program can run at a time, subsequently started fetchnews and texpire programs will terminate. This means that the news database will no longer be updated, older articles will no longer expire, until the hanging fetchnews process gets unstuck, usually through a manual "kill" command or a reboot. 4. Workaround Comment out all configuration pertaining to the malicious server. Note that this is not a full solution as transient network errors can also cause delays in querying other network servers, and it requires manual intervention to find out which server is malicious. 5. Solution Upgrade your leafnode package to version 1.11.3. leafnode 1.11.3 is available from SourceForge: <http://sourceforge.net/project/showfiles.php?group_id=57767> Leafnode 1.X versions are deemed stable, and it is usually best to go for the latest released 1.X version to have all the other bug fixes as well. A. References leafnode home page: <http://leafnode.sourceforge.net/> B. Copyright and License (C) Copyright 2005 by Matthias Andree, <[EMAIL PROTECTED]>. Some rights reserved. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs German License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ or send a letter to Creative Commons; 559 Nathan Abbott Way; Stanford, California 94305; USA. END OF leafnode-SA-2005:02.fetchnews-hangs-on-header
--- End Message ---
--- Begin Message ---Source: leafnode Source-Version: 1.11.2.rel-1.0sarge0 We believe that the bug you reported is fixed in the latest version of leafnode, which is due to be installed in the Debian FTP archive: leafnode_1.11.2.rel-1.0sarge0.diff.gz to pool/main/l/leafnode/leafnode_1.11.2.rel-1.0sarge0.diff.gz leafnode_1.11.2.rel-1.0sarge0.dsc to pool/main/l/leafnode/leafnode_1.11.2.rel-1.0sarge0.dsc leafnode_1.11.2.rel-1.0sarge0_powerpc.deb to pool/main/l/leafnode/leafnode_1.11.2.rel-1.0sarge0_powerpc.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mark Brown <[EMAIL PROTECTED]> (supplier of updated leafnode package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 1 Jan 2006 12:34:13 +0000 Source: leafnode Binary: leafnode Architecture: source powerpc Version: 1.11.2.rel-1.0sarge0 Distribution: stable Urgency: low Maintainer: Mark Brown <[EMAIL PROTECTED]> Changed-By: Mark Brown <[EMAIL PROTECTED]> Description: leafnode - NNTP server for small leaf sites Closes: 338886 Changes: leafnode (1.11.2.rel-1.0sarge0) stable; urgency=low . * Backport fix for CVE 2005-1911 fixing a denial of service problem in fetchnews (closes: #338886). Files: 16051b75917eb49fdbd7698fb49e2317 610 news extra leafnode_1.11.2.rel-1.0sarge0.dsc 663455c1162549b0e46e5db75bb4bb20 37490 news extra leafnode_1.11.2.rel-1.0sarge0.diff.gz c7b52febbf799d8bae2db1d9a1af5dd5 333650 news extra leafnode_1.11.2.rel-1.0sarge0_powerpc.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDt9E9J2Vo11xhU60RAlBGAKCLU5o5HqcEM/wDITs8630RYMDfUwCeMF10 UnovsWVwNCkHEGl7QCsivQg= =TdDC -----END PGP SIGNATURE-----
--- End Message ---
