* Fixed a possible plaintext command injection during the negotiation of
a TLS layer. The vulnerability detailed in CVE-2011-0411 affects the
STARTTLS and AUTHINFO SASL commands. nnrpd now resets its read buffer
upon a successful negotiation of a TLS layer. It prevents malicious
commands, sent unencrypted, from being executed in the new encrypted
state of the session.
Arch teams, please test and mark stable:
Stable KEYWORDS : amd64 ppc x86
The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly
restrict I/O buffering, which allows man-in-the-middle attackers to insert
commands into encrypted sessions by sending a cleartext command that is
processed after TLS is in place, related to a "plaintext command injection"
attack, a similar issue to CVE-2011-0411.
GLSA vote: yes.
Yes, created GLSA request.
Nothing else to do for net-news here.
This issue was resolved and addressed in
GLSA 201401-24 at http://security.gentoo.org/glsa/glsa-201401-24.xml
by GLSA coordinator Chris Reffett (creffett).