FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

inn -- plaintext command injection into encrypted channel

Affected packages
inn < 2.5.2_2

Details

VuXML ID a7975581-ee26-11e1-8bd8-0022156e8794
Discovery 2012-08-14
Entry 2012-08-25

INN developers report:

Fixed a possible plaintext command injection during the negotiation of a TLS layer. The vulnerability detailed in CVE-2011-0411 affects the STARTTLS and AUTHINFO SASL commands. nnrpd now resets its read buffer upon a successful negotiation of a TLS layer. It prevents malicious commands, sent unencrypted, from being executed in the new encrypted state of the session.

[source]

References

CVE Name CVE-2011-0411
CVE Name CVE-2012-3523
URL https://www.isc.org/software/inn/2.5.3article

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.