-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

leafnode-SA-2003:01.fetchnews-hang

Topic:    potential denial of service in leafnode

Announcement:  leafnode-SA-2003:01
Writer:    Matthias Andree
Version:  1.01
Announced:  2003-09-04
Category:  main
Type:    potential denial of service
Impact:    fetchnews hangs, no new fetchnews/texpire processes
    can be started
Credits:  Joshua Crawford (for sending a precise bug report)
Danger:    medium:
    - only one process will clog memory since leafnode-1.9.20
      bug can hang for an extended amount of time
    - no privilege escalation through this bug

Affects:  leafnode 1.9.3 (1999) up to 1.9.41 (2003)

Not affected:  leafnode 1.9.42 and newer

Default install: affected.

Introduced:  between 1999-03-03 and 1999-07-15 (no precise date found)
    1999-07-15 07:49    leafnode 1.9.3 announced by Cornelius Krasel

Corrected:  2003-06-20 22:57:48 UTC (CVS) - committed corrected version
    2003-06-27 11:29    leafnode 1.9.42 released

0. Release history

2003-09-02  1.00 initial announcement
2003-09-04  1.01 mention leafnode 1.9.43 in body text, drop appendix A

1. Background

leafnode is a store-and-forward proxy for Usenet news, is uses the
network news transfer protocol (NNTP). It consists of several
collaborating programs, the server part is usually started by inetd,
xinetd or tcpserver, the client part is usually started by cron or
manually.

This security announcement pertains to leafnode-1, the stable branch.

The leafnode-2 development branch has not yet seen a stable release, so
it is not subject to security announcements.

2. Problem description

A vulnerability was found in the fetchnews program (the NNTP client) that
may under some circumstances cause wait for input that never arrives,
fetchnews "hangs". This hang does not cost CPU.

This bug was not deemed security relevant at first, but as it can
be triggered from the outside, by providing malformatted (non-RFC-1036)
Usenet news articles, and because it then stops unattended systems from
functioning, it was decided to release this security announcement.

3. Impact

As only one fetchnews program can run at a time, subsequently started
fetchnews and texpire programs will terminate immediately. This means
that the news base will no longer be updated, older articles will no
longer expire, until the hanging fetchnews process gets unstuck, usually
through a manual "kill" command or a reboot.

4. Workaround

No reliable workaround possible.

NOTE: Killing fetchnews before completion leaves stale data on disk and
is therefore not deemed reliable, although it relieves the immediate
"cannot start texpire or fetchnews" condition.

5. Solution

Upgrade your leafnode package to version 1.9.42 or later.
At this time, leafnode 1.9.43 is the up-to-date stable release.

Note that leafnode 1.9.X versions are deemed stable, and it is usually
best to go for the latest released 1.9.X version to have all the other
bug fixes as well. No broken-out version of this patch will be
provided, distributors are urged to update to the latest leafnode
version.

leafnode 1.9.43 is available from sourceforge:

http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=182196

This policy of not providing a broken-out patch may generate a conflict
with some distribution's post-release update policies.

As the current leafnode maintainer, I do not have financial and time
ressources to provide support for any but the latest released version.

People keep reporting bugs about leafnode-1.9.33, 1.9.24 or 1.9.19,
which is a waste of time for the user and the leafnode maintainer.

6. Solution details

revision 1.111
date: 2003/06/20 22:57:48;  author: emma;  state: Exp;  lines: +10 -4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/VpMCvmGDOQUufZURApo+AKCdn6Cgaf58vShPQiMdHq5Me7LHLACfXnlm
hccjEwCoz7vi/MQe3SoV5IQ=
=G03p
-----END PGP SIGNATURE-----