MGASA-2012-0305
| Date: | October 29th, 2012 |
| Affected releases: | 1, 2 |
Description:
Updated inn packages fix security vulnerability:
The STARTTLS implementation in INN's NNTP server for readers, nnrpd,
before 2.5.3 does not properly restrict I/O buffering, which allows
man-in-the-middle attackers to insert commands into encrypted sessions
by sending a cleartext command that is processed after TLS is in place,
related to a plaintext command injection attack, a similar issue to
CVE-2011-0411 (CVE-2012-3523).
Updated Packages:
Mageia 1:
inn-2.5.3-1.mga1
inn-devel-2.5.3-1.mga1
inews-2.5.3-1.mga1
Mageia 2:
inn-2.5.3-1.mga2
inn-devel-2.5.3-1.mga2
inews-2.5.3-1.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3523
https://www.isc.org/software/inn/2.5.3article
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:156
https://bugs.mageia.org/show_bug.cgi?id=7674
