[Leafnode-announce] Leafnode 1.11.2.rel released (STABLE) -SECURITY UPDATE-
Brought to you by:
m-a
Menu
▾
▴
[Leafnode-announce] Leafnode 1.11.2.rel released (STABLE) -SECURITY UPDATE-
|
From: Matthias A. <mat...@gm...> - 2005-05-05 11:22:05
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
----------------------------------------
leafnode 1.11.2.rel has been released.
----------------------------------------
http://leafnode.sourceforge.net/
.------------------------------------------------------------------.
| If you like leafnode, please consider donating - voluntarily |
| Donate via https://sourceforge.net/donate/index.php?user_id=2788 |
`------------------------------------------------------------------'
Version 1.11.2 is an update that fixes two security bugs where a
malicious remote server can crash fetchnews. It also fixes a few other
minor bugs, among them Debian bug #70052: fetchnews is now more careful
about when to re-fetch an active file.
A binary RPM for Linux with glibc 2.2 and i486 or compatible processors
is provided. It also requires packages providing libpcre.so.0 and xinetd.
This version is or will become available in .tar.bz2 format from these sites:
o SourceForge -- Source .tar.bz2 and i486 Linux RPM
http://sourceforge.net/projects/leafnode/
http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=325112
rsync://osdn.dl.sourceforge.net/sourceforge/l/le/leafnode/
o Dortmund University -- Source .tar.bz2, .tar.gz, upgrade patch, i486 Linux RPM
http://home.pages.de/~mandree/leafnode/
rsync://www.dt.e-technik.uni-dortmund.de/leafnode-1/
o IBiblio/MetaLab (will take some days to pick up) -- has FTP sites
http://ibiblio.org/pub/Linux/MIRRORS.html
Check the system/news/transport directory
Not all sites carry all file types (.tar.bz2, .tar.gz, .rpm).
Below are file checksums and the NEWS file excerpt, with changes since
the previous release. The full ChangeLog ships with the tarballs and
can also be viewed at http://home.pages.de/~mandree/leafnode/ChangeLog.txt
Have fun,
Matthias Andree, Leafnode maintainer
SHA1 checksums:
138904683e9fa7f8630bc7e0273f2085ad4e7784 *leafnode-1.11.2.rel.tar.bz2
786c36725604be654bf41922ce924e3487a22be7 *leafnode-1.11.2.rel.tar.gz
c47d4ece2c84f8366e611f3b4a79c08385c580c3 *upgrade-1.11.1-to-1.11.2.diff.gz
MD5 checksums:
bb97b9f654f54973e3c90bd11e6d8b24 *leafnode-1.11.2.rel.tar.bz2
85ee515acf4dfc025316f8cc19b37ecf *leafnode-1.11.2.rel.tar.gz
676805b00dce2b66c0eb79790e4ef646 *upgrade-1.11.1-to-1.11.2.diff.gz
File sizes:
391034 leafnode-1.11.2.rel.tar.bz2
469005 leafnode-1.11.2.rel.tar.gz
5541 upgrade-1.11.1-to-1.11.2.diff.gz
>-----------------------------------------------------------------------------
### SECURITY BUGFIXES
NOTE: at the time this section was written, the CVE number was not yet known.
The ID will be posted to http://leafnode.sourceforge.net/security.shtml and
has been requested from the FreeBSD security team as a CVE CNA.
o Fix fetchnews segfault when connection to server dies while fetchnews is
reading an article body (use-after-free bug). Regression introduced into
leafnode v1.9.52. Denial of service possible, see leafnode-SA-2005-01.txt.
o Fix fetchnews segfault when connection to server dies while fetchnews is
reading an article header. Regression in security fix of leafnode v1.9.48.
Denial of service possible, see leafnode-SA-2005-01.txt
### BUGFIXES
o fetchnews will no longer re-fetch the active file for a server if it has been
completely received even if fetching articles from this server encounters a
problem. Long-standing bug. Debian bug #70052.
o fetchnews will now properly mark the active for complete re-fetch if it says
so. Previously, it forgot the mark in some circumstances.
o A problem fetching the active file or descriptions for a newly added server
will now mark the active for re-fetch even if articles have successfully
been retrieved from the same server.
### DOCUMENTATION
o Repair two lines in the German leafnode(8) manual page that became invisible
as they ran together with a .PP macro.
>-----------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCeOjsvmGDOQUufZURAjLzAJ9q7eCF8xdQdbotDtqGFJ8XM55+LwCfXlNH
J+iY/8h7ztd0ihUogKBWNX8=
=ey+E
-----END PGP SIGNATURE-----
|
