Leafnode security

Preface

Leafnode is a non-commercial OpenSource software that is available to you free of charge. Therefore, no guarantees are made and all liabilities are excluded up to the maximum extent allowed by German laws.

Any security statements made here only apply to 1.9.20 and later, with the exception of particular statements about the vulnerability of previous versions. The absense of a statement, particularly for 1.9.19 and older versions, does not imply there is no problem. Anyways, the supported version is only the latest release, see the status page for details.

Known vulnerabilities

Leafnode has, unfortunately, also been found to contain security vulnerabilities - fortunately only of the "Denial of Service" kind, no privilege escalation, no data leak bugs became known.

The security announcements that have been issued are:

• leafnode-SA-2002-01 (CVE-2002-1661) - CPU busy loop in leafnode (NNTP server) in [1.9.20;1.9.29]
• leafnode-SA-2003-01 (CVE-2003-0744) - fetchnews hang on malformatted articles in [1.9.3;1.9.41]
• leafnode-SA-2004-01 (CVE-2004-2068) - fetchnews hang on some kinds of input, in ]?;1.9.47]
• leafnode-SA-2005-01 (CVE-2005-1453) - fetchnews crashes on server timeout/disconnect, in [1.9.48;1.11.1]
• leafnode-SA-2005-02 (CVE-2005-1911) - fetchnews does not detect timeout downloading headers ]?;1.11.2]