<inn-2.5.3 - plaintext command injection during the negotiation of a TLS layer
Bug #1039881 reported by
Karma Dorje
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Gentoo Linux |
Fix Released
|
Low
|
|||
inn2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The STARTTLS implementation in INN's NNTP server for readers,
nnrpd, before 2.5.3 does not properly restrict I/O buffering,
which allows man-in-the-middle attackers to insert commands
into encrypted sessions by sending a cleartext command that
is processed after TLS is in place, related to a "plaintext
command injection" attack, a similar issue to CVE-2011-0411.
References:
[1] https:/
[2] https:/
[3] https:/
Relevant upstream patch
(the 'diff -Nurp inn-2.5.
[4] ftp://ftp.
tags: | added: upgrade-software-version |
Changed in inn (Ubuntu): | |
status: | New → Confirmed |
Changed in gentoo: | |
importance: | Unknown → Medium |
visibility: | private → public |
affects: | inn (Ubuntu) → inn2 (Ubuntu) |
Changed in gentoo: | |
importance: | Medium → Low |
Changed in gentoo: | |
status: | Unknown → Fix Released |
To post a comment you must log in.
* Fixed a possible plaintext command injection during the negotiation of
a TLS layer. The vulnerability detailed in CVE-2011-0411 affects the
STARTTLS and AUTHINFO SASL commands. nnrpd now resets its read buffer
upon a successful negotiation of a TLS layer. It prevents malicious
commands, sent unencrypted, from being executed in the new encrypted
state of the session.