Editted from the message to Usenet RKT subscribers,
11/3/97

....Critical defect in expireover discovered....

The defect was discovered and reported by Mike Brudenell
<pmb1@york.ac.uk> to inn-bugs@isc.org.  Characterization
and further details provided here by Mib Software.

Defect in: expire/expireover.c
    The defect is in the expireover-memleak patch that Mib Software
    inserted into 1.5.1corr (and 1.7) to fix a very large memory leak
    in the 1.6b3 fixes.

Symptoms:   Under some circumstances, the defective code can
    attempt to free an invalid memory pointer.  This causes 
    expireover to fail (dump core) which will prevent expireover
    from completing normally.

Versions affected: Versions: 1.5.1corr and derivatives, including 1.7
    1.6b3 (with the expireover-memleak patch) and 1.5.2.  Systems which
    are not running overviews are not affected.

Recommendations: [Deleted.  For subscribers only.]

Background:
    Mike Brudenell did correctly indicate which line was defective,
    and how it could be fixed.  The attached fix is a bit different
    than the one suggested by Mike Brudenell.  This is to make the
    code match the handling semantics of allocated buffers in other
    parts of innd, such as innd/art.c 

For information about how to receive these messages
as a subscriber.  See
    http://www.mibsoftware.com/rktsub.htm

Forrest Cavalier, Mib Software, originator of INN 1.7

This message, including the patch, will also be available at:
   .http://www.mibsoftware.com/userkt/inn/patches/eo971103.msg.

For a list of known defects in release versions of inn 1.5.1 to 1.7,
see:
    .http://www.mibsoftware.com/userkt/inn/patches/.

*** expire/expireover.c.orig	Tue Oct 07 07:17:58 1997
--- expire/expireover.c	Mon Nov 03 08:34:08 1997
***************
*** 438,444 ****
  	   caller's use.  mibsoft 8/22/97
  	 */
  	for (hp = Headers, i = ARTfieldsize; --i >= 0; hp++) {
! 	    if (hp->Header) {
  		DISPOSE(hp->Header);
  		hp->Header = 0;
  	    }
--- 438,444 ----
  	   caller's use.  mibsoft 8/22/97
  	 */
  	for (hp = Headers, i = ARTfieldsize; --i >= 0; hp++) {
! 	    if (hp->Length) { /* Was hp->Header. Fix due to pmb1@york.ac.uk 11/3/97 */
  		DISPOSE(hp->Header);
  		hp->Header = 0;
  	    }