Mandriva Linux Security Advisory : inn (MDVSA-2012:156)

medium Nessus Plugin ID 62404

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

A security issue was identified and fixed in ISC INN :

The STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411 (CVE-2012-3523).

The updated packages have been upgraded to inn 2.5.3 which is not vulnerable to this issue.

Solution

Update the affected inews, inn and / or inn-devel packages.

See Also

https://www.isc.org/software/inn/2.5.3article

Plugin Details

Severity: Medium

ID: 62404

File Name: mandriva_MDVSA-2012-156.nasl

Version: 1.11

Type: local

Published: 10/3/2012

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:inews, p-cpe:/a:mandriva:linux:inn, p-cpe:/a:mandriva:linux:inn-devel, cpe:/o:mandriva:linux:2011

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/2/2012

Reference Information

CVE: CVE-2012-3523

BID: 55146

MDVSA: 2012:156