[Leafnode-announce] Leafnode 1.11.3.rel released (STABLE) -SECURITY UPDATE-
Brought to you by:
m-a
Menu
▾
▴
[Leafnode-announce] Leafnode 1.11.3.rel released (STABLE) -SECURITY UPDATE-
|
From: Matthias A. <mat...@gm...> - 2005-06-08 21:49:11
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
----------------------------------------
leafnode 1.11.3.rel has been released.
----------------------------------------
http://leafnode.sourceforge.net/
.------------------------------------------------------------------.
| If you like leafnode, please consider donating - voluntarily |
| Donate via https://sourceforge.net/donate/index.php?user_id=2788 |
`------------------------------------------------------------------'
Version 1.11.3 is an update that fixes one security bug where a
malicious remote server can hang fetchnews.
A binary RPM for Linux with glibc 2.2 and i486 or compatible processors
is provided. It also requires packages providing libpcre.so.0 and xinetd.
This version is or will become available in .tar.bz2 format from these sites:
o SourceForge -- Source .tar.bz2 and i486 Linux RPM
http://sourceforge.net/projects/leafnode/
http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=333578
rsync://osdn.dl.sourceforge.net/sourceforge/l/le/leafnode/
o Dortmund University -- Source .tar.bz2, .tar.gz, upgrade patch, i486 Linux RPM
http://home.pages.de/~mandree/leafnode/
rsync://www.dt.e-technik.uni-dortmund.de/leafnode-1/
o IBiblio/MetaLab (will take some days to pick up) -- has FTP sites
http://ibiblio.org/pub/Linux/MIRRORS.html
Check the system/news/transport directory
Not all sites carry all file types (.tar.bz2, .tar.gz, .rpm).
Below are file checksums and the NEWS file excerpt, with changes since
the previous release. The full ChangeLog ships with the tarballs and
can also be viewed at http://home.pages.de/~mandree/leafnode/ChangeLog.txt
Have fun,
Matthias Andree, Leafnode maintainer
SHA1 checksums:
6910f05c0fa4b1bb5a4baaa6e6fd529fef5ece22 *leafnode-1.11.3.rel.tar.bz2
b17fc6b361c499f35dda707dfea37e9342dcfe03 *leafnode-1.11.3.rel.tar.gz
9fbd51f861749af44646809713df2a1d839a0ab8 *upgrade-1.11.2-to-1.11.3.diff.gz
MD5 checksums:
3360247f3cebf3c8cc5accf182cd4bcd *leafnode-1.11.3.rel.tar.bz2
e6494a9c01a9a21734d0c8a0662ec1eb *leafnode-1.11.3.rel.tar.gz
b48d0ec3bb5b112bd948b08132c8db77 *upgrade-1.11.2-to-1.11.3.diff.gz
File sizes:
506217 leafnode-1.11.3.rel.tar.bz2
581429 leafnode-1.11.3.rel.tar.gz
36391 upgrade-1.11.2-to-1.11.3.diff.gz
>-----------------------------------------------------------------------------
### SECURITY BUGFIXES
o Fetchnews did not detect timeouts while it was downloading an article
header, which malicious upstream servers could exploit to mount a denial of
service attack against the fetchnews client. See leafnode-SA-2005-02.txt.
CVE Name: CAN-2005-1911
### BUGFIXES
o Bugfix sed expression in makesubst script. (Reported by Jeff Zacharias.)
### CHANGES
o texpire now tags the message.id expired count with "message.id" rather than
"total:" to avoid misleading the user who assumes that "total:" would have
to be the sum of the group counts. See also the FAQ change below.
SourceForge bug #1215453.
o When debugmode and verbose mode are set, leafnode programs now print a
warning to stdout that the user should check syslog.conf and the syslog
output rather than the screen print for debugging and sleeps for three
seconds.
### DOCUMENTATION
o Add FAQ entry to explain discrepancies between texpire group counts and
message.id expired articles counts.
o Add FAQ entry to explain influence of Gnus' gnus-read-active-file setting
on lost subscriptions, and extend stop fetchnews from unsubscribing FAQ.
Debian bug #307685.
o Drop FAQ entry on license issues as some parts of leafnode are in fact GPLd.
o Drop FAQ entry on why old articles aren't posted, obsolete since 1.9.33.
o INSTALL and INSTALL_de have been polished.
o Add a hint that syslog.conf must be edited to config.example.
o leafnode(8) mentions that LIST ACTIVE keeps an existing subscription fresh.
>-----------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCp2fIvmGDOQUufZURAqgOAJ4yroHatwqwOTAtnTMdsEgfxaVglwCgv7BT
XeRnQyElB+p2WKDfrnNXyAo=
=sMm0
-----END PGP SIGNATURE-----
|
