Update from 2.5.2 to 2.5.3 (fixes CVE-2011-0411).

While we are touching it, fix PR/45986 with the patch supplied therein
(thanks)

Changes from 2.5.2 to 2.5.3:

  * When HDR/XHDR/XPAT were used on a new article coming into a newsgroup,
    requesting a header not present in the overview database, the first
    subsequent OVER/XOVER command did not show that article.  A remap of
    the overview data file was missing in nnrpd.  Thanks to Sam
    Varshavchik for the bug report.

  * When a header field appeared more than once in an article, it was
    missing from the overview data.  OVER/XOVER, as well as HDR/XHDR/XPAT
    using the overview, were therefore returning an empty field.  The
    content of the first occurrence is now returned, in accordance with
    RFC 3977.

    Perl and Python filters for innd now also properly initialize their
    header variables with the first occurrence of header fields.  (It is
    still the last occurrence for the Perl filter for nnrpd.)

  * Fixed a possible plaintext command injection during the negotiation of
    a TLS layer.  The vulnerability detailed in CVE-2011-0411 affects the
    STARTTLS and AUTHINFO SASL commands.  nnrpd now resets its read buffer
    upon a successful negotiation of a TLS layer.  It prevents malicious
    commands, sent unencrypted, from being executed in the new encrypted
    state of the session.

  * Fixed a regression that occurred in INN 2.5.0 when leading whitespace
    characters have been made significant in header field bodies.  It
    could lead INN to drop articles and throttle itself when running as a
    slave because Xref: header fields generated by other news servers, or
    even INN 2.4.6, could contain (valid) leading whitespace.  Thanks to
    Matija Nalis for having caught this bug.

  * Fixed an invalid 431 response to CHECK commands when innd is paused:
    the message-ID of the article to defer was missing.  Also fixed
    another issue in the messages innd replied; when an error occurred
    during a write on a channel, a trailing extra junk byte was added to
    the reply.  Thanks to River Tarnell for these bug reports.

  * It is now possible to properly generate daily statistics with
    sendinpaths thanks to the new -k and -r flags that permit to control
    the interval of days for processing dump files.  The new -c flag
    permits to send a copy of the generated e-mail to the newsmaster.

    Also fixed an issue with statistics that could be missing or
    duplicated for a couple of days when monthly sent.

    The documentation has been updated and mentions a preferred daily run
    of sendinpaths.  This script is a complete rewrite in Perl, and is
    based on Mohan Kokal's initial work.

  * cnfsheadconf now properly recognizes continuation lines in
    cycbuff.conf, that is to say lines ending with a backslash ("\").
    Thanks to John F. Morse for the bug report.

  * The order of CNFS buffers in a metacycbuff is now properly read and
    written by cnfsheadconf.  There previously was a confusion between
    hexadecimal and decimal values.  Thanks again to John F. Morse.

  * When the -l flag is given to cnfsstat, the cycbuff.conf and
    storage.conf files are now reloaded if they have been modified since
    the previous output of cnfsstat.

  * A single header field line is limited to 998 bytes, per RFC 5536.
    innd was previously accepting, and also generating Xref: header field
    lines, up to 1022 bytes.  Now, nnrpd (acting as an injecting agent)
    rejects articles which contain header field lines whose length exceeds
    998 bytes.  And innd (acting as a relaying or serving agent) no longer
    checks that.

  * nnrpd advertises the COUNTS, DISTRIBUTIONS, MODERATORS, MOTD and
    SUBSCRIPTIONS variants of the LIST command in response to
    CAPABILITIES.  These commands already existed in nnrpd but RFC 6048
    had not yet been published.

  * Add support for LIST MOTD in innd.  Consequently, the motd.news
    configuration file which was previously used only by nnrpd is renamed
    to motd.nnrpd (innupgrade takes care of the rename).  innd uses the
    new motd.innd file in *pathetc* for its message of the day.

  * Fixed an issue at configure time that made INN wrongly assume that
    OpenBSD (4.6) didn't support Unix-domain sockets.  Thanks to Wim Lewis
    for the patch.

  * Fixed an issue on systems which do not have a working flock(2)
    function (Solaris, for instance).  mailpost and pullnews are reported
    not to be usable on such systems.  Many thanks to Dennis Davis for the
    bug report.

    A wrapper around shlock is now called in Perl scripts.  The
    INN::Utils::Shlock module has been added for that use.

  * Fixed an issue in the Python access hook for nnrpd:  it has not been
    working since Python 2.5 on 64-bit platforms, owing to a change to
    Python's C API, using a new Py_ssize_t type definition instead of int.
    Thanks to Raphael Barrois for the patch.

  * Improve the stability of the Perl filters for innd and nnrpd: properly
    save and restore the stack pointer when needed.

  * The Injection-Date: header, when present, is now used by innd and
    makehistory to determine the posting date of an article.  Otherwise,
    the Date: header is used.

  * controlchan now imposes a date cutoff on processing control articles.
    The *artcutoff* parameter set in inn.conf is used.  Otherwise, without
    that cutoff, old control articles could be maliciously reinjected into
    Usenet, and replayed.  (An unsigned Injection-Date: header field could
    be added to an article that only had a Date: header field.)  A new -c
    flag has been added to controlchan to disable the cutoff check, if
    needed (usually when manually invoking the program).

  * nnrpd no longer adds or updates the Path: header field when an article
    is forwarded to a moderator.  It could otherwise lead to rejects at
    injection time when the article was approved by the moderator.

  * The X-Trace: header field was not properly generated when an article
    was locally posted.  The field mentioning the IP address was skipped,
    resulting in a wrong syntax for this header.  The local "127.0.0.1" IP
    address is now used.  Besides, "localhost" is now mentioned instead of
    an obscure "stdin" in injection header fields.

  * Fixed a bug in the frequency innfeed logs its status:  too many
    useless lines were written to news.notice.  Thanks to Florian
    Schlichting for the fix.

  * When unset in innfeed.conf, the *dynamic-method* parameter now
    properly defaults to 3 (instead of 0) and *use-mmap* to false (instead
    of true).  These two values were already the recommended ones in the
    documentation and the sample file.  Note that *use-mmap* is only used
    when innfeed is given file names to send instead of storage API
    tokens, which is a fairly rare use case.

  * innfeed no longer generates an error message (logged in news.err) when
    a parameter is not defined in innfeed.conf.  All the parameters have a
    default value, so there is no need to warn the user if they are not
    present in innfeed.conf.  Thanks to Dieter Stussy for having reported
    this problem.

  * Implement an upper limit to the number of file descriptors innd can
    handle.  At most (FD_SETSIZE-1) file descriptors can be used.  This
    upper limit now overrides any superior number set with *rlimitnofile*
    in inn.conf.  Thanks to Steve Crook for the bug report.

  * A default timeout on outgoing sockets (using NNTPconnect) has been
    added by Florian Schlichting.  For a long time, there have been
    occasional problems with actsync (and probably other programs) that
    would hang until manually killed or restarted.

  * The flag -S has been added to innd by Florian Schlichting.  When used,
    innd reports the errors found in incoming.conf and exits.

  * pullnews no longer stops processing newsgroups when an error occur
    during its run (for instance when a newsgroup mentioned in the
    configuration file is removed from an upstream server).  Besides, it
    can now use authentication when posting to the downstream server.

    A few other minor bugs have been fixed as for the way pullnews counts
    the articles.

  * Fixed the way innreport handles leap years.  It now properly generates
    HTML reports; dates were assumed to be relative to the current year,
    which may break their computation during for instance the whole 2012
    leap year.  Please note that no HTML reports have been lost, and that
    they will appear when INN is updated to this new version.

  * A new parameter has been added to inn.conf to determine whether the
    status file that innd can write out (depending on the value of the
    *status* parameter) is plain text or wrapped in HTML.  It previously
    only was a compile-time option, set to true by default.  Florian
    Schlichting added the *htmlstatus* parameter to provide a configurable
    behaviour.

  * It is now possible to run a script at the end of the execution of
    innshellvars scripts.  If a file named innshellvars.local,
    innshellvars.pl.local or innshellvars.tcl.local is present and
    executable in *pathetc*, then it will be executed by the corresponding
    innshellvars script (respectively shell, INN::Config Perl module, and
    Tcl).  A typical use is to add or override variables.

  * Add support for wire-formatted articles in scanspool.

  * A lot of work on cleaning old perl4-style code has been done by
    Florian Schlichting.

  * inncheck now generates a proper non-zero exit value when errors are
    found, and allows quiet mode with the -q flag.  Florian Schlichting
    has greatly improved this script in many regards, especially with a
    config-syntax parser for incoming.conf, innfeed.conf, readers.conf and
    storage.conf.

  * inncheck now properly finds the boundaries of substituted variables in
    newsfeeds thanks to Alexander Bartolich.

  * docheckgroups no longer uses awk.  On a few systems, the script was
    failing because of the presence of an old version of awk that has a
    limit in the size of the input it can handle.  Processing large
    newsgroups files was consequently impossible.  docheckgroups now uses
    Perl instead of awk, which solves the issue reported by John F. Morse.

  * Other minor bug fixes and documentation improvements.  In particular,
    the *debug-shrinking*, *fast-exit* and *initial-sleep* keys in
    innfeed.conf are now documented.  The function "filter_end()", called
    when Perl filtering is turned off, is also documented for the innd and
    nnrpd Perl filters.
This commit is contained in:
spz 2012-08-23 19:00:41 +00:00
parent e43f403fed
commit af9289fddd
8 changed files with 58 additions and 68 deletions

View file

@ -1,7 +1,6 @@
# $NetBSD: Makefile,v 1.108 2011/09/25 14:00:09 spz Exp $
# $NetBSD: Makefile,v 1.109 2012/08/23 19:00:41 spz Exp $
DISTNAME= inn-2.5.2
PKGREVISION= 4
DISTNAME= inn-2.5.3
CATEGORIES= news
MASTER_SITES= ftp://ftp.isc.org/isc/inn/ \
ftp://ftp.fu-berlin.de/unix/news/inn/
@ -27,6 +26,8 @@ MESSAGE_SUBST+= INN_PATHBIN=${INN_PATHBIN:Q}
PLIST_SUBST+= INN_PATHBIN=${INN_PATHBIN:Q}
PKG_SYSCONFSUBDIR= inn
GNU_CONFIGURE= YES
GNU_CONFIGURE_PREFIX= ${INN_PREFIX}
GNU_CONFIGURE_MANDIR= ${PREFIX}/${PKGMANDIR}
@ -34,7 +35,7 @@ CONFIGURE_ARGS+= --enable-setgid-inews \
--enable-largefiles \
--bindir=${PREFIX}/${INN_PATHBIN} \
--sbindir=${PREFIX}/${INN_PATHBIN} \
--sysconfdir=${PREFIX}/etc/inn \
--sysconfdir=${PKG_SYSCONFDIR} \
--with-openssl=${SSLBASE:Q} \
--with-doc-dir=${PREFIX}/share/doc/inn \
--with-control-dir=${PREFIX}/${INN_PATHBIN}/control \
@ -75,13 +76,11 @@ PKG_GECOS.${INN_USER}= Internet\ News
PKG_HOME.${INN_USER}= ${INN_DATA_DIR}
PKG_SHELL.${INN_USER}= ${SH}
PKG_SYSCONFDIR.inn= ${PREFIX}/etc/inn
EXAMPLEDIR= ${PREFIX}/share/examples/inn
INN_DATADIRS= log log/OLD run tmp db spool http
INN_SPOOLDIRS= archive articles overview incoming incoming/bad \
outgoing uniover innfeed
INSTALLATION_DIRS+= etc/nntp
INSTALLATION_DIRS+= sbin
INSTALLATION_DIRS+= bin
INSTALLATION_DIRS+= ${EXAMPLEDIR}
@ -91,8 +90,7 @@ MAKE_DIRS+= ${PREFIX}/bin
MAKE_DIRS+= ${PREFIX}/sbin
MAKE_DIRS+= ${PREFIX}/lib
INN_DIRS+= ${PREFIX}/etc/nntp
INN_DIRS+= ${PREFIX}/etc/inn
INN_DIRS+= ${PKG_SYSCONFDIR}
INN_DIRS+= ${INN_DATA_DIR}
OWN_DIRS+= ${PREFIX}/${INN_PATHBIN}
@ -115,8 +113,11 @@ CFILES= actsync.cfg actsync.ign buffindexed.conf \
distrib.pats distributions \
expire.ctl incoming.conf inn.conf innfeed.conf \
innreport.conf innwatch.ctl \
innshellvars.local innshellvars.pl.local \
innshellvars.tcl.local \
localgroups moderators \
motd.news news2mail.cf newsfeeds nnrpd.track \
motd.innd motd.nnrpd \
news2mail.cf newsfeeds nnrpd.track \
nntpsend.ctl nocem.ctl ovdb.conf passwd.nntp \
radius.conf readers.conf send-uucp.cf \
storage.conf subscriptions

View file

@ -1,4 +1,4 @@
@comment $NetBSD: PLIST,v 1.22 2011/09/25 13:58:31 spz Exp $
@comment $NetBSD: PLIST,v 1.23 2012/08/23 19:00:41 spz Exp $
bin/inews
bin/rnews
include/inn/buffer.h
@ -40,6 +40,7 @@ lib/libinn.a
lib/libinnhist.a
lib/libstorage.a
lib/perl/INN/Config.pm
lib/perl/INN/Utils/Shlock.pm
${INN_PATHBIN}/actmerge
${INN_PATHBIN}/actsync
${INN_PATHBIN}/actsyncd
@ -138,7 +139,6 @@ man/man1/getlist.1
man/man1/grephistory.1
man/man1/inews.1
man/man1/innconfval.1
man/man1/innfeed.1
man/man1/innmail.1
man/man1/nntpget.1
man/man1/pgpverify.1
@ -149,6 +149,7 @@ man/man1/shrinkfile.1
man/man1/simpleftp.1
man/man1/sm.1
man/man3/INN::Config.3pm
man/man3/INN::Utils::Shlock.3pm
man/man3/clientlib.3
man/man3/dbz.3
man/man3/inndcomm.3
@ -175,7 +176,9 @@ man/man5/innfeed.conf.5
man/man5/innwatch.ctl.5
man/man5/localgroups.5
man/man5/moderators.5
man/man5/motd.innd.5
man/man5/motd.news.5
man/man5/motd.nnrpd.5
man/man5/newsfeeds.5
man/man5/newsgroups.5
man/man5/newslog.5
@ -206,16 +209,19 @@ man/man8/expireover.8
man/man8/expirerm.8
man/man8/filechan.8
man/man8/ident.8
man/man8/imapfeed.8
man/man8/innbind.8
man/man8/inncheck.8
man/man8/innd.8
man/man8/inndf.8
man/man8/innfeed.8
man/man8/innreport.8
man/man8/innstat.8
man/man8/innupgrade.8
man/man8/innwatch.8
man/man8/innxbatch.8
man/man8/innxmit.8
man/man8/inpaths.8
man/man8/mailpost.8
man/man8/makedbz.8
man/man8/makehistory.8
@ -231,10 +237,12 @@ man/man8/ovdb_server.8
man/man8/ovdb_stat.8
man/man8/overchan.8
man/man8/perl-nocem.8
man/man8/procbatch.8
man/man8/prunehistory.8
man/man8/radius.8
man/man8/rc.news.8
man/man8/scanlogs.8
man/man8/scanspool.8
man/man8/send-nntp.8
man/man8/send-uucp.8
man/man8/sendinpaths.8
@ -291,10 +299,14 @@ share/examples/inn/inn.conf
share/examples/inn/innfeed.conf
share/examples/inn/innreport.conf
share/examples/inn/innreport.css
share/examples/inn/innshellvars.local
share/examples/inn/innshellvars.pl.local
share/examples/inn/innshellvars.tcl.local
share/examples/inn/innwatch.ctl
share/examples/inn/localgroups
share/examples/inn/moderators
share/examples/inn/motd.news
share/examples/inn/motd.innd
share/examples/inn/motd.nnrpd
share/examples/inn/news2mail.cf
share/examples/inn/newsfeeds
share/examples/inn/newsgroups.minimal
@ -309,3 +321,6 @@ share/examples/inn/send-uucp.cf
share/examples/inn/storage.conf
share/examples/inn/subscriptions
share/examples/rc.d/innd
@pkgdir ${INN_PATHBIN}/filter
@pkgdir etc/nntp
@pkgdir etc/inn

View file

@ -1,16 +1,14 @@
$NetBSD: distinfo,v 1.28 2011/09/25 14:00:09 spz Exp $
$NetBSD: distinfo,v 1.29 2012/08/23 19:00:42 spz Exp $
SHA1 (inn-2.5.2.tar.gz) = e7a9512acb5fa09ecdf116a4bde39c9f5efe65db
RMD160 (inn-2.5.2.tar.gz) = 2fce7fade8bd8df3fe7f813b6feb37ff2b2bf07c
Size (inn-2.5.2.tar.gz) = 2331916 bytes
SHA1 (inn-2.5.3.tar.gz) = 98f22ef02e48c28f5eb931ce506ebe99557dc46e
RMD160 (inn-2.5.3.tar.gz) = 7c4593d8880426a8961befbfa600450b23482d35
Size (inn-2.5.3.tar.gz) = 2412119 bytes
SHA1 (patch-aa) = 8ed86de4d20ab8510c7521528a9979c1d3e6d9e8
SHA1 (patch-ab) = 5f98336273de9763c38df3bb122f141cbd16527a
SHA1 (patch-ac) = 2b801b9b8c5eae1feacaa3532e78b4c46210f755
SHA1 (patch-ad) = d36131ad21a1d8ea0edb463dfff6f1800dc8291d
SHA1 (patch-ag) = ec28feef2392567cbc607e7b27fe85f1acd349a7
SHA1 (patch-ah) = a71cdb9940012098cb5737e5fa48435309cbda83
SHA1 (patch-ah) = ed5ef5f504eb9a95ad3da933ba5d00ee73885b00
SHA1 (patch-ai) = cf0af9de01dc7e06c5f9f7f1dd91ac2201e8c212
SHA1 (patch-ak) = 1b92f93a78a08b570c2f9b5360982644d6d2d065
SHA1 (patch-ak) = c15b9067eeff701a7f2cc443fe6d1cb89136d974
SHA1 (patch-al) = a3d9fad5c045dc7a240e0f0c0a88a5321e6135d5
SHA1 (patch-am) = 93a056db2beb3a939ee0974e5255ce0e9cf1fb9b
SHA1 (patch-an) = dd1a4462c1a7ea7e52d009c6df1fcb93a2162280

View file

@ -1,8 +1,8 @@
$NetBSD: patch-ah,v 1.14 2011/09/25 13:58:32 spz Exp $
$NetBSD: patch-ah,v 1.15 2012/08/23 19:00:42 spz Exp $
--- site/Makefile.orig 2010-03-24 20:10:36.000000000 +0000
--- site/Makefile.orig 2012-06-15 18:25:36.000000000 +0000
+++ site/Makefile
@@ -72,33 +72,11 @@ REST = \
@@ -75,35 +75,11 @@ REST = \
ALL = $(MOST) $(REST)
@ -16,13 +16,15 @@ $NetBSD: patch-ah,v 1.14 2011/09/25 13:58:32 spz Exp $
- $D$(PATHETC)/localgroups \
- $D$(PATH_CTLWATCH) $D$(PATH_DISTPATS) $D$(PATH_DISTRIBUTIONS) \
- $D$(PATH_ACTSYNC_CFG) $D$(PATH_ACTSYNC_IGN) \
- $D$(PATH_MOTD) $D$(PATH_STORAGECONF) \
- $D$(PATH_MOTD_INND) $D$(PATH_MOTD_NNRPD) $D$(PATH_STORAGECONF) \
- $D$(PATH_CYCBUFFCONFIG) $D$(PATH_BUFFINDEXED) \
- $D$(PATH_INNFEEDCTL) $D$(PATH_PERL_STARTUP_INND) \
- $D$(PATH_PERL_FILTER_INND) $D$(PATH_PERL_FILTER_NNRPD) \
- $D$(PATH_PYTHON_FILTER_INND) $D$(PATH_PYTHON_INN_MODULE) \
- $D$(PATH_PYTHON_NNRPD_MODULE) \
- $D$(PATH_TCL_STARTUP) $D$(PATH_TCL_FILTER) \
- $D$(PATHETC)/innshellvars.local $D$(PATHETC)/innshellvars.pl.local \
- $D$(PATHETC)/innshellvars.tcl.local \
- $D$(PATHETC)/nocem.ctl \
- $D$(PATH_NNRPAUTH) $D$(PATHETC)/news2mail.cf $D$(PATH_READERSCONF) \
- $D$(PATH_RADIUS_CONF) $D$(PATH_NNRPYAUTH) $D$(PATH_NNRPYACCESS) $D$(PATH_NNRPYDYNAMIC) \

View file

@ -1,6 +1,6 @@
$NetBSD: patch-ak,v 1.1 2009/09/25 11:06:00 spz Exp $
$NetBSD: patch-ak,v 1.2 2012/08/23 19:00:42 spz Exp $
--- perl/INN/Config.pm.in.orig 2009-05-21 22:08:33.000000000 +0200
--- perl/INN/Config.pm.in.orig 2012-06-15 18:25:36.000000000 +0000
+++ perl/INN/Config.pm.in
@@ -20,7 +20,7 @@ our $exec_prefix = "@exec_prefix@";
@ -8,6 +8,6 @@ $NetBSD: patch-ak,v 1.1 2009/09/25 11:06:00 spz Exp $
my @INNCONFVAR = ();
-my @values = `${exec_prefix}/bin/innconfval -p`;
+my @values = `@bindir@/innconfval -p`;
foreach $line (@values) {
foreach my $line (@values) {
eval 'our '.$line;
if ($line =~ /^(.*?) = /m) {

15
news/inn/patches/patch-al Normal file
View file

@ -0,0 +1,15 @@
$NetBSD: patch-al,v 1.1 2012/08/23 19:00:42 spz Exp $
--- ./lib/fdlimit.c.orig 2009-10-12 18:24:04.000000000 +0000
+++ ./lib/fdlimit.c
@@ -59,6 +59,10 @@ setfdlimit(unsigned int limit)
}
#endif
+ /* will we mind if the limit is higher? I think not. */
+ if (rl.rlim_cur >= limit)
+ return 0;
+
rl.rlim_cur = limit;
if (limit > rl.rlim_max)
rl.rlim_max = limit;

View file

@ -1,26 +0,0 @@
$NetBSD: patch-am,v 1.1 2011/09/25 14:00:09 spz Exp $
remove deprecated perl features that don't do anything useful anyway
(replicate change in INN trunk)
--- ./scripts/innreport.in.orig 2010-03-24 20:10:36.000000000 +0000
+++ ./scripts/innreport.in
@@ -672,10 +672,6 @@ if (!$NOT_DAILY && defined $output{'defa
# - Specified in section "inn_flow" of innreport.conf.
sub DateCompare {
- # $[ ... The index of the first element in an array, and of the first
- # character in a substring. Default is 0.
- local $[ = 0;
-
# The 2 dates are near. The range is less than a few days that's why we
# can cheat to determine the order. It is only important if one date
# is in January and the other in December.
@@ -791,7 +787,6 @@ sub ConvDate($) {
# Compare 2 filenames
sub filenamecmp {
- local $[ = 0;
my ($la, $lb) = ($a, $b);
my ($ya) = $la =~ m/news-notice\.(\d+)\./o;
$ya += 100 if $ya < 90; # Try to pacify the year 2000 !

View file

@ -1,15 +0,0 @@
$NetBSD: patch-an,v 1.1 2011/09/25 14:00:09 spz Exp $
remove deprecated perl features that don't do anything useful anyway
(replicate change in INN trunk)
--- ./scripts/innreport_inn.pm.orig 2010-03-24 20:10:36.000000000 +0000
+++ ./scripts/innreport_inn.pm
@@ -2430,7 +2430,6 @@ sub report_unwanted_ng($) {
# Compare 2 dates (+hour), used with sort (arguments $a and $b)
sub datecmp() {
# ex: "May 12 06" for May 12, 6:00am
- local($[) = 0;
# The 2 dates are near. The range is less than a few days that's why we
# can cheat to determine the order. It is only important if one date
# is in January and the other in December.