COMMAND

    INN

SYSTEMS AFFECTED

    INNd

PROBLEM

    Russ Allbery posted following.  It's recently come to INN  authors
    attention that  some repackagers  of INN  have mistakenly  shipped
    INN  packages  configured  to  use  the system temporary directory
    (either /tmp or /var/tmp) for create temporary files.  INN expects
    its configured  temporary directory  to only  be writeable  by the
    news user and does  not take sufficient precautions  when creating
    temporary  files  to  be  able  to  use  world-writeable temporary
    directories.  This configuration could be exploited to gain access
    to the news account.

    This was partly a  configuration error and partly  a documentation
    problem.  This  issue should have  been much more  clearly pointed
    out  in  the  installation  documentation  (fixed  in  the current
    version of INN).

    Thanks to Greg KH and Steve Beattie at WireX for bringing this  to
    attention.

SOLUTION

    If you are using a  pre-compiled version of INN, please  check the
    configuration in inn.conf and make  sure that pathtmp points to  a
    directory that  is not  world-writeable.   If it  does point  to a
    world-writeable directory,  create a  new directory  owned by  the
    news  user  and  only  writeable  by  that user, change pathtmp in
    inn.conf to point to that directory, and restart INN (with rc.news
    stop; rc.news start).

    If you  package INN  as part  of a  distribution, please make sure
    that INN is configured to  use a private temporary directory.   If
    you  configure  INN  with  --prefix=/usr,  you  will  need  to use
    --with-tmp-path to ensure that the temporary directory is not  set
    to /usr/tmp.

    As of INN 2.3.1, which  was released on 2001-01-11, INN  will warn
    loudly at configure time if the configured temporary directory  is
    world-writeable.  There is  also additional documentation of  this
    issue in INSTALL.

    There  is  work  underway  both  to make FHS-compliance a standard
    configure option so that these sorts of problems can be caught and
    solved in one place and to  make INN more robust against use  of a
    world-writeable  temporary  directory.   We  will  always strongly
    recommend,  however,  that  INN  be  configured  to  use a private
    temporary  directory,  since  getting  all  of the details of safe
    temporary file handling  right in a  portable manner is  difficult
    and there's no reason not to use a private directory.

    For Debian:

        http://security.debian.org/dists/stable/updates/main/source/inn2_2.2.2.2000.01.31-4.1.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/inn2_2.2.2.2000.01.31-4.1.dsc
        http://security.debian.org/dists/stable/updates/main/source/inn2_2.2.2.2000.01.31.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-i386/inn2-dev_2.2.2.2000.01.31-4.1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/inn2-inews_2.2.2.2000.01.31-4.1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/inn2_2.2.2.2000.01.31-4.1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/inn2-dev_2.2.2.2000.01.31-4.1_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/inn2-inews_2.2.2.2000.01.31-4.1_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/inn2_2.2.2.2000.01.31-4.1_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/inn2-dev_2.2.2.2000.01.31-4.1_sparc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/inn2-inews_2.2.2.2000.01.31-4.1_sparc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/inn2_2.2.2.2000.01.31-4.1_sparc.deb
        http://security.debian.org/dists/stable/updates/main/binary-alpha/inn2-dev_2.2.2.2000.01.31-4.1_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-alpha/inn2-inews_2.2.2.2000.01.31-4.1_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-alpha/inn2_2.2.2.2000.01.31-4.1_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/inn2-dev_2.2.2.2000.01.31-4.1_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/inn2-inews_2.2.2.2000.01.31-4.1_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/inn2_2.2.2.2000.01.31-4.1_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/inn2-dev_2.2.2.2000.01.31-4.1_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/inn2-inews_2.2.2.2000.01.31-4.1_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/inn2_2.2.2.2000.01.31-4.1_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-all/task-news-server_2.2.2.2000.01.31-4.1_all.deb