Mandriva Linux Security Advisory : inn (MDVSA-2012:156)

Medium Nessus Plugin ID 62404


The remote Mandriva Linux host is missing one or more security updates.


A security issue was identified and fixed in ISC INN :

The STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411 (CVE-2012-3523).

The updated packages have been upgraded to inn 2.5.3 which is not vulnerable to this issue.


Update the affected inews, inn and / or inn-devel packages.

See Also

Plugin Details

Severity: Medium

ID: 62404

File Name: mandriva_MDVSA-2012-156.nasl

Version: $Revision: 1.7 $

Type: local

Published: 2012/10/03

Modified: 2014/01/23

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:inews, p-cpe:/a:mandriva:linux:inn, p-cpe:/a:mandriva:linux:inn-devel, cpe:/o:mandriva:linux:2011

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2012/10/02

Reference Information

CVE: CVE-2012-3523

BID: 55146

MDVSA: 2012:156