<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="MSHTML 5.00.2014.210" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2><FONT size=2>This was in Linux Today...</FONT></FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT
size=2>----------------------------------------------------------------------------------------------------<BR>
SuSE Security Announcement<BR><BR>
Package: INN 2.0 and higher<BR>
Date: Wed May 19 15:20:33 CEST
1999<BR> Affected: Unix operating
systems using INN >= 2.0<BR></DIV></FONT>
<DIV><FONT size=2>Some security holes were discovered in the package mentioned
above.<BR>Please update as soon as possible or disable the service if you are
using<BR>this software on your SuSE Linux installation(s).<BR><BR>Other Linux
distributions or operating systems might be affected as<BR>well, please contact
your vendor for information about this issue.<BR><BR>Please note, that we
provide this information on as "as-is" basis only.<BR>There is no warranty
whatsoever and no liability for any direct, indirect or<BR>incidental damage
arising from this information or the installation of<BR>the update
package.<BR></FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>1. Problem Description<BR><BR> The innd
wrapper inndstart could be tricked to execute arbitrary<BR>
code by editing the environment (INNCONF), by modifing the
inn.conf<BR> file or by overflowing a buffer.<BR><BR>2.
Impact<BR><BR> As long as /usr/lib/news/bin/inndstart is SUID
root a attacker<BR> could gain local root access to your
system.<BR><BR>3. Solution<BR><BR> Remove the SUID bit of
inndstart by executing<BR> /bin/chmod 700
/usr/lib/news/bin/inndstart<BR><BR> Disallow other users than
news to access /usr/lib/news<BR> /bin/chmod go-rwx
/usr/lib/news<BR><BR> Install a patch (update the package) as
soon as the bug is fixed!</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT
size=2>-----------------------------------------------------------------------------------------------</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>This was in Linux Today...</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>--Blake<BR><BR></DIV></FONT></BODY></HTML>