Re: SNI-16: INN News Server Security Advisory (fwd)

David Sacerdote (davids@silence.secnet.com)
Mon, 28 Jul 1997 17:10:56 -0600

> Be aware the the SNI advisory is wrong on two counts here:
>
> 1. There is no "INN 1.6", at least not a released version. There
> is an early beta test version of 1.6 available on the ISC ftp
> site, but it is rather unstable and not at all a drop-in
> replacement for 1.5.1. There is an active discussion on the
> news.software.nntp newsgroup about this -- the current consensus
> is that 1.6b1 is not suitable for use in anything but a testing
> environment.
>
> 2. As of last friday, 25 Jul 97, the ISC has announced that they
> will be making a set of patches for 1.5.1 available.

The information in the advisory is based on what the ISC told us prior to
its release. We provided the ISC with 160k of diffs against 1.5.0, well
in advance of the release of 1.5.1. They chose not to include them in the
1.5.1 release, and incorporated them into the latest beta.

When the ISC informed us that they would have a beta which included our
fixes availible, we released the advisory at approximately the time the
fixes were supposed to be available. At the time, James Brister, who
maintains INN for the ISC, informed us that there would be no patches for
versions earlier than 1.6.

Apparently, it has since transpired that INN 1.6beta1 is not as stable as
the ISC believed. Therefore, they have decided to release a set of
patches against 1.5.1.

The reason we posted is this. The overflows present in INN were trivial to
find. In fact, had they not been actively exploited in the wild before the
advisory, we would be *shocked*. Would you rather that nobody except
those who are interested in cracking your systems know about these
problems, or would you rather be properly appraised of the dangers of
certain software?

David Sacerdote