Bugtraq mailing list archives

Security problem in C news and INN

From: an46153 () anon penet fi (Featherlace)
Date: Wed, 23 Feb 1994 14:40:19 UTC


Maybe I'm the last person on the planet to realize this.....  is it common
knowledge that there's a *major* security hole in both C news performance
release, and old versions of INN?

If anyone doesn't know what I'm talking about, then you may want to disable
newgroup and checkgroups processing from C news (performance release), and
disable processing of ALL control messages except cancel from INN.  Disable
them <completely>, best with an "exit 0" at the first line of all
appropriate scripts.  Do not attempt to interpret or process these articles
in any way.  Don't do _anything_ with these articles except ignore them.
This is overkill, but anything more specific would be too much of a
giveaway.

Someone, perhaps me, will post more details about this in a future message.

 ------------------------------------------To find out more about the anon service, send mail to help () anon penet fi.
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to admin () anon penet fi.

Current thread:

syslog/udp Tim Newsham (Feb 20)
- <Possible follow-ups>
- Re: syslog/udp Dave Hayes (Feb 22)
  - Re: syslog/udp John Hawkinson (Feb 23)
    - Security problem in C news and INN Featherlace (Feb 23)
    - Re: Security problem in C news and INN Casper Dik (Feb 24)
    - Re: Security problem in C news and INN Perry E. Metzger (Feb 24)
    - Re: syslog/udp scott () santafe edu (Feb 23)
    - Re: syslog/udp Tim Newsham (Feb 23)
    - Re: syslog/udp Julian Assange (Feb 23)
    - daemon() Jim Wright (Feb 24)
    - Thanks! Dave Hayes (Feb 23)
- Re: syslog/udp Jim Duncan (Feb 24)