Home > Security > Advisories


Mandriva Advisories

Package name leafnode
Date January 14th, 2003
Advisory ID MDKSA-2003:005
Affected versions 8.2, 9.0
Synopsis Updated leafnode packages fix remote DoS vulnerability

Problem Description

A vulnerability was discovered by Jan Knutar in leafnode that
Mark Brown pointed out could be used in a Denial of Service
attack. This vulnerability causes leafnode to go into an
infinite loop with 100% CPU use when an article that has been
crossposed to several groups, one of which is the prefix of
another, is requested by it's Message-ID.

This vulnerability was introduced in 1.9.20 and fixed upstream
in version 1.9.30. Only Mandrake Linux 9.0 is affected by this,
but version 1.9.19 (which shipped with Mandrake Linux 8.2) is
receiving an update due to critical bugs in it that can corrupt
parts of its news spool under certain circumstances.

Updated Packages

Mandrakelinux 8.2

 a9c3f6f4198c88e71f7c78281d6ead7b  8.2/RPMS/leafnode-1.9.31-1.1mdk.i586.rpm
25f0be374ababf45db444a9b64ab1a98  8.2/SRPMS/leafnode-1.9.31-1.1mdk.src.rpm

Mandrakelinux 8.2/PPC

 c39ab8855cbb4d0727c796242edda60c  ppc/8.2/RPMS/leafnode-1.9.31-1.1mdk.ppc.rpm
25f0be374ababf45db444a9b64ab1a98  ppc/8.2/SRPMS/leafnode-1.9.31-1.1mdk.src.rpm

Mandrakelinux 9.0

 4749ee927caa55f15adddadd473a3d12  9.0/RPMS/leafnode-1.9.31-1.1mdk.i586.rpm
25f0be374ababf45db444a9b64ab1a98  9.0/SRPMS/leafnode-1.9.31-1.1mdk.src.rpm




To upgrade automatically, use MandrivaUpdate.


Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.