[DRAFT] INN 2.4.1 available

Russ Allbery rra at stanford.edu
Wed Jan 7 23:52:38 UTC 2004


From: Russ Allbery <rra at isc.org>
Organization: Internet Software Consortium
Subject: [ANNOUNCE] INN 2.4.1 available
To: inn-announce at isc.org
Newsgroups: news.software.nntp

The Internet Software Consortium is pleased to announce a new bug fix and
security release of INN is available at:

    ftp://ftp.isc.org/isc/inn/inn-2.4.1.tar.gz

The MD5 checksum of this release is:

    bec635b6e70188071fdb539cd374f2ba

A PGP signature is available in the same directory.  There is a patch from
2.4.0 to 2.4.1 available there as well.

This release fixes a security vulnerability that may be remotely
exploitable.  We strongly urge all users of INN 2.4.0 or STABLE snapshots
to upgrade to this release as soon as possible.  INN 2.3.x and earlier are
not affected by this vulnerability.

This is a bug-fix release over 2.4.0.  Upgrading an existing INN 2.4.0
installation is as simple as building INN 2.4.1, running make update, and
restarting innd and related programs.

Changes from 2.4.0 to 2.4.1:

  * SECURITY: Handle the special filing of control messages into per-type
    newsgroups more robust.  This closes a potentially exploitable buffer
    overflow.  Thanks to Dan Riley for his excellent bug report.

  * Fixed article handling in innd so that articles without a Path header
    (arising from peers sending malformatted articles or injecting
    malformatted articles through rnews) would not cause innd to crash. 
    (This was not exploitable.)

  * Fixed a serious bug in XPAT handling, thanks to Tommy van Leeuwen.

  * configure now looks for sendmail only in /usr/sbin and /usr/lib, not
    on the user's path.  This should reduce the need for --with-sendmail
    if your preferred sendmail is in a standard location.

  * The robustness of the tradindexed overview method has been further
    increased, handling more edge cases arising from corrupted databases
    and oddly-named newsgroups.

  * innd now never decreases the high water mark of a newsgroup when
    renumbering, which should help ameliorate overview and active file
    synchronization problems.

  * Do not close and reopen the history file on ctlinnd reload when the
    server is paused or throttled.  This was breaking ctlinnd reload all
    during a server pause.

  * Various minor portability and compilation issues fixed.  Substantial
    numbers of compiler warnings have been cleaned up, thanks largely to
    work by Ilya Kovalenko.

  * Multiple other more minor bugs have been fixed.

  * Documentation and man pages have been clarified and updated.

Please submit all bug reports to inn-bugs at isc.org.  Please send all
patches to inn-patches at isc.org.

                                        Russ Allbery
                                        Katsuhiro Kondou
                                        inn at isc.org

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list