[leafnode-list] [Leafnode-announce] Leafnode 1.11.2.rel released (STABLE) -SECURITY UPDATE-

Matthias Andree matthias.andree at gmx.de
Wed May 4 17:23:24 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                ----------------------------------------
                 leafnode 1.11.2.rel has been released.
                ----------------------------------------
                    http://leafnode.sourceforge.net/

.------------------------------------------------------------------.
| If you like leafnode, please consider donating - voluntarily     |
| Donate via https://sourceforge.net/donate/index.php?user_id=2788 |
`------------------------------------------------------------------'

Version 1.11.2 is an update that fixes two security bugs where a
malicious remote server can crash fetchnews. It also fixes a few other
minor bugs, among them Debian bug #70052: fetchnews is now more careful
about when to re-fetch an active file.


A binary RPM for Linux with glibc 2.2 and i486 or compatible processors
is provided. It also requires packages providing libpcre.so.0 and xinetd.

This version is or will become available in .tar.bz2 format from these sites:

o SourceForge -- Source .tar.bz2 and i486 Linux RPM
   http://sourceforge.net/projects/leafnode/
   http://sourceforge.net/project/showfiles.php?group_id=57767&release_id=325112
   rsync://osdn.dl.sourceforge.net/sourceforge/l/le/leafnode/

o Dortmund University -- Source .tar.bz2, .tar.gz, upgrade patch, i486 Linux RPM
   http://home.pages.de/~mandree/leafnode/
   rsync://www.dt.e-technik.uni-dortmund.de/leafnode-1/

o IBiblio/MetaLab (will take some days to pick up) -- has FTP sites
   http://ibiblio.org/pub/Linux/MIRRORS.html
   Check the system/news/transport directory

Not all sites carry all file types (.tar.bz2, .tar.gz, .rpm).

Below are file checksums and the NEWS file excerpt, with changes since
the previous release.  The full ChangeLog ships with the tarballs and
can also be viewed at http://home.pages.de/~mandree/leafnode/ChangeLog.txt

Have fun,
Matthias Andree, Leafnode maintainer

SHA1 checksums:
138904683e9fa7f8630bc7e0273f2085ad4e7784 *leafnode-1.11.2.rel.tar.bz2
786c36725604be654bf41922ce924e3487a22be7 *leafnode-1.11.2.rel.tar.gz
c47d4ece2c84f8366e611f3b4a79c08385c580c3 *upgrade-1.11.1-to-1.11.2.diff.gz

MD5 checksums:
bb97b9f654f54973e3c90bd11e6d8b24 *leafnode-1.11.2.rel.tar.bz2
85ee515acf4dfc025316f8cc19b37ecf *leafnode-1.11.2.rel.tar.gz
676805b00dce2b66c0eb79790e4ef646 *upgrade-1.11.1-to-1.11.2.diff.gz

File sizes:
391034 leafnode-1.11.2.rel.tar.bz2
469005 leafnode-1.11.2.rel.tar.gz
  5541 upgrade-1.11.1-to-1.11.2.diff.gz

>-----------------------------------------------------------------------------
### SECURITY BUGFIXES
NOTE: at the time this section was written, the CVE number was not yet known.
The ID will be posted to http://leafnode.sourceforge.net/security.shtml and
has been requested from the FreeBSD security team as a CVE CNA.
o Fix fetchnews segfault when connection to server dies while fetchnews is
  reading an article body (use-after-free bug).  Regression introduced into
  leafnode v1.9.52.  Denial of service possible, see leafnode-SA-2005-01.txt.
o Fix fetchnews segfault when connection to server dies while fetchnews is
  reading an article header.  Regression in security fix of leafnode v1.9.48.
  Denial of service possible, see leafnode-SA-2005-01.txt

### BUGFIXES
o fetchnews will no longer re-fetch the active file for a server if it has been
  completely received even if fetching articles from this server encounters a
  problem.  Long-standing bug.  Debian bug #70052.
o fetchnews will now properly mark the active for complete re-fetch if it says
  so.  Previously, it forgot the mark in some circumstances.
o A problem fetching the active file or descriptions for a newly added server
  will now mark the active for re-fetch even if articles have successfully
  been retrieved from the same server.

### DOCUMENTATION
o Repair two lines in the German leafnode(8) manual page that became invisible
  as they ran together with a .PP macro.
>-----------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCeOjsvmGDOQUufZURAjLzAJ9q7eCF8xdQdbotDtqGFJ8XM55+LwCfXlNH
J+iY/8h7ztd0ihUogKBWNX8=
=ey+E
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
Leafnode-announce mailing list
Leafnode-announce at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leafnode-announce
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=10210



More information about the leafnode-list mailing list