INN Patches: Security
Applying to INN 1.6b3
The list of known security problems is included in the list INN 1.6b3 Software Action Items tagged with "critical"
Applying to INN 1.5.1
NOTE: October 1997: The ISC released INN 1.7, which includes security-patch.05 and fixes other security holes. INN 1.7 is based on the 1.5.1corr release from Mib Software. See
inn1.5.1corr/1.7
This list is now included in INN 1.5.1 Software Action Items tagged with "critical"
Applying to INN 1.5
security-patch.01 For version 1.5.
Type: Security hole
Symptom: Arbitrary command execution as user news via control messages,
regardless of control.ctl settings.
Applies to: INN-1.5/samples/parsecontrol
OS: all
Incorporated into 1.5.1: Yes
Authored: Matt Power, 3 Dec 1996
security-patch.05 For version 1.5.1. *and* for previous versions of
INN patched with prior security
patches (this means if you're not running
1.5.1, then you first need to apply one of
security-patch.01 security-patch.02
security-patch.03, and then apply
security-patch.05)
Type: Security hole, similar to security-patch.02
Symptom: Arbitrary command execution as user news via control messages,
regardless of control.ctl settings.
Also fixes a potential hole through ucb/mail, if that is what is used.
Applies to: parsecontrol
OS: all
Incorporated into 1.5.1: No
Authored: James Brister, 4 Apr 1997
ftp://ftp.isc.org/isc/inn/unoff-patches/1.5/null-pointer.patch
3 Kb Fri Dec 20 15:51:00 1996
Type: Bug/Security Fix
Symptom: 1060 character Path header crashes innd.
Applies to: INN-1.5/innd/art.c
OS: all
Incorporated into 1.5.1: No. See separate patch.
Authored: Michael Shields, 17 Dec 1996
ftp://ftp.isc.org/isc/inn/unoff-patches/1.5/parsecontrol-security.patch
3 Kb Tue Dec 03 22:03:00 1996
Type: Security hole
Symptom: Arbitrary command execution as user news via control messages,
regardless of control.ctl settings.
Applies to: INN-1.5/samples/parsecontrol
OS: all
Incorporated into 1.5.1: No. See separate patch
Authored: Matt Power, 3 Dec 1996
Applying to INN 1.4 (various)
security-patch.02 For version 1.4sec
Type: Security hole, same as security-patch.01
Symptom: Arbitrary command execution as user news via control messages,
regardless of control.ctl settings.
Applies to: parsecontrol
OS: all
Incorporated into 1.5.1: Yes
Authored: James Brister, Matt Power, 3 Dec 1996
security-patch.03 For version 1.4unoff3 and 1.4unoff4
Type: Security hole, same as security-patch.01
Symptom: Arbitrary command execution as user news via control messages,
regardless of control.ctl settings.
Applies to: parsecontrol
OS: all
Incorporated into 1.5.1: Yes
Authored: James Brister, Matt Power, 3 Dec 1996
security-patch.05 For version 1.5.1. *and* for previous versions of
INN patched with prior security
patches (this means if you're not running
1.5.1, then you first need to apply one of
security-patch.01 security-patch.02
security-patch.03, and then apply
security-patch.05)
Type: Security hole, similar to security-patch.02
Symptom: Arbitrary command execution as user news via control messages,
regardless of control.ctl settings.
Also fixes a potential hole through ucb/mail, if that is what is used.
Applies to: parsecontrol
OS: all
Incorporated into 1.5.1: No
Authored: James Brister, 4 Apr 1997
RKT Rapid-Links:[Search] [RKT Tips] Path: / Usenet RKT / For Providers / INN Patches / 0002.htm
You can find a summary and links related to this topic
as part of the Mib Software Usenet RKT.