Debian DSA-023-1 : inn2 - local tempfile vulnerabilities

This script is Copyright (C) 2004-2013 Tenable Network Security, Inc.


Synopsis :

The remote Debian host is missing a security-related update.

Description :

- People at WireX have found several potential insecure
uses of temporary files in programs provided by INN2.
Some of them only lead to a vulnerability to symlink
attacks if the temporary directory was set to /tmp or
/var/tmp, which is the case in many installations, at
least in Debian packages. An attacker could overwrite
any file owned by the news system administrator, i.e.
owned by news.news.
- Michal Zalewski found an exploitable buffer overflow
with regard to cancel messages and their verification.
This bug did only show up if 'verifycancels' was enabled
in inn.conf which is not the default and has been
disrecommended by upstream.

- Andi Kleen found a bug in INN2 that makes innd crash for
two byte headers. There is a chance this can only be
exploited with uucp.

See also :

http://www.debian.org/security/2001/dsa-023

Solution :

Upgrade the inn2 packages immediately.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)

Family: Debian Local Security Checks

Nessus Plugin ID: 14860 (debian_DSA-023.nasl)

Bugtraq ID:

CVE ID: CVE-2001-0361