INN: Man-in-the-middle attack — GLSA 201401-24

A vulnerability in INN's STARTTLS implementation could allow a remote attacker to conduct a man-in-the-middle attack.

Affected packages

net-nntp/inn on all architectures
Affected versions < 2.5.3
Unaffected versions >= 2.5.3

Background

INN is a news server which can interface with Usenet.

Description

INN’s I/O buffering is not correctly restricted.

Impact

A remote attacker could inject commands into encrypted NNTP sessions.

Workaround

There is no known workaround at this time.

Resolution

All INN users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-nntp/inn-2.5.3"
 

References

Release date
January 21, 2014

Latest revision
January 21, 2014: 1

Severity
low

Exploitable
remote

Bugzilla entries