* Fixed a possible plaintext command injection during the negotiation of a TLS layer. The vulnerability detailed in CVE-2011-0411 affects the STARTTLS and AUTHINFO SASL commands. nnrpd now resets its read buffer upon a successful negotiation of a TLS layer. It prevents malicious commands, sent unencrypted, from being executed in the new encrypted state of the session.
Arch teams, please test and mark stable: =net-nntp/inn-2.5.3 Stable KEYWORDS : amd64 ppc x86
amd64 stable
x86 stable
ping
ppc64?
ppc done
CVE-2012-3523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3523): The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Thanks, everyone. GLSA vote: yes.
Yes, created GLSA request.
Nothing else to do for net-news here.
This issue was resolved and addressed in GLSA 201401-24 at http://security.gentoo.org/glsa/glsa-201401-24.xml by GLSA coordinator Chris Reffett (creffett).