Re: SNI-16: INN News Server Security Advisory

[nmehl () LEFTBANK COM (Nathan J. Mehl)]

In the immortal words of Christopher Samuel:

> In message <Pine.BSI.3.96.970721144428.9165A-100000 () silence secnet com>,
>         "Secure Networks Inc." <sni () SILENCE SECNET COM> writes:

> > Fix Information
> > ~~~~~~~~~~~~~~~
> >
> > INN version 1.6 has been made availible at ftp://ftp.isc.org/isc/inn.  A
> > fix will not be made availible for prior releases and it is suggested that
> > all users running INN upgrade to version 1.6 immediately.

Be aware the the SNI advisory is wrong on two counts here:

1.      There is no "INN 1.6", at least not a released version.  There
        is an early beta test version of 1.6 available on the ISC ftp
        site, but it is rather unstable and not at all a drop-in
        replacement for 1.5.1.  There is an active discussion on the
        news.software.nntp newsgroup about this -- the current consensus
        is that 1.6b1 is not suitable for use in anything but a testing
        environment.

2.      As of last friday, 25 Jul 97, the ISC has announced that they
        will be making a set of patches for 1.5.1 available.

> It would appear that Miquel van Smoorenburg at Cistron has made available
> a patch for this bug, it's available from:

>                 http://miquels.www.cistron.nl/inn/

> I'm just passing this pointer on.

> Disclaimer: Caveat emptor, examine the patch yourself and satisfy
>             yourself with what it does. All disclaimers apply.
>             Don't blame me for it.

Miquel is currently actively discussing his patches on news.software.nntp;
a quick search with DejaNews can provide a great deal of relevant information
on the subject.

-n

--
The life of a sysadmin is always intense!
Nathan J. Mehl   ---   The LeftBank Operation
nmehl () leftbank com -- http://www.leftbank.com