Which Version?

Russ Allbery rra at stanford.edu
Thu Mar 15 00:30:42 UTC 2001


David Smith <David.Smith at esa.int> writes:

> I'm not a news expert, more of a general UNIX consultant, so I'd like to
> poll the views of the group on this. Is version 1.7 a really much of a
> security risk?

I don't know of any outstanding security problems in INN 1.7 apart from a
DoS vulnerability to control message floods and possibly security problems
in inews and rnews.  If you're running a stand-alone server (ie, users
don't need to log on to the machine and run inews to post, which is the
normal case), and you're not doing anything with mail to news gateways and
the like that require arbitrary users run inews (or accepting UUCP feeds
that require running rnews), you can just remove the setuid and setgid
bits of both rnews and inews.

The result is a system with a security level that I'd be fairly
comfortable with.  You may want to upgrade to INN 1.7.2-insync-1.1d if
that isn't what you're already running; that was essentially the "final"
release of INN 1.7 and is *extremely* stable (I'm still running it on a
system here).  It's probably the most stable traditional spool news server
available, although I'm hoping to eventually get INN 2 up to that level.

You can get the source tarball for INN 1.7.2-insync-1.1d from ftp.isc.org
in /isc/inn/OLD/1.7.  Upgrading from any version of INN 1.7 should just be
a simple matter of compiling and doing "make upgrade", if I remember
correctly.

Note that INN 1.7 didn't have autoconf support, though, so compilation is
a bit of a pain the first time you do it.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the inn-workers mailing list