Alexander Bartolich | 4 Sep 02:55 2010
Picon
Picon

INN 2.5.1-1 on Ubuntu 10.04 does not support SSL

Hi,

The /usr/lib/news/bin/nnrpd-ssl that comes with package inn2 is broken.
Thunderbird reports error ssl_error_rc_record_too_long when it tries
to open a connection. The logfiles show now nothing.
Starting the programm manually produces a core dump.

# /usr/lib/news/bin/nnrpd-ssl -n -t -c /etc/news/readers.conf -S
Segmentation fault

However, without debugging symbols that's not too useful.

# gdb /usr/lib/news/bin/nnrpd-ssl core
[...]
(gdb) backtrace full
#0  0x0000000000423b18 in tls_init_serverengine ()
No symbol table info available.
#1  0x0000000000423df5 in tls_init ()
No symbol table info available.
#2  0x000000000041945f in main ()
No symbol table info available.

Perhaps ltrace is more informative.

# ltrace /usr/lib/news/bin/nnrpd-ssl -n -t -c /etc/news/readers.conf -S
[...]
open("/var/spool/news/overview/group.i"..., 0, 0664) = 18
__fxstat(1, 18, 0x7fffac6fff80)                  = 0
__errno_location()                               = 0x7f133405f6a8
fcntl(18, 1, 0, -1, 1)                           = 0
(Continue reading)

Julien ÉLIE | 4 Sep 09:46 2010

Re: INN 2.5.1-1 on Ubuntu 10.04 does not support SSL

Hi Alexander,

> The /usr/lib/news/bin/nnrpd-ssl that comes with package inn2 is broken.
> Thunderbird reports error ssl_error_rc_record_too_long when it tries
> to open a connection. The logfiles show now nothing.
> Starting the programm manually produces a core dump.
>
> # /usr/lib/news/bin/nnrpd-ssl -n -t -c /etc/news/readers.conf -S
> Segmentation fault

I do not know well what happened with the Ubuntu/Debian package
as for TLS support.  Perhaps an issue with the TLS libraries
(because otherwise nnrpd would just not launch:  "-S" is unknown
if HAVE_SSL is undefined).

I saw in March the problem you report for Ubuntu:
    https://bugs.launchpad.net/ubuntu/+source/inn2/+bug/535208

And there was another one in Debian (but here, "-S" is clearly
said to be unknown):
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581937

As far as I recall, no change has been recently done in TLS support
except this one in INN 2.5.1:
    The default path for TLS certificates has changed from pathnews/lib
    to pathetc.  It only affects new INN installations or generations
    of certificates with make cert.  Besides, a default value has been
    added to tlscapath because it is required by nnrpd when TLS is used.

Please check whether it is configures correctly.
(Continue reading)

Julien ÉLIE | 13 Sep 18:45 2010

Re: cekpasswd.c compile error on cygwin 1.77

Hi Michael,

> I really do need this to run on my windows, for personal use in my
> network,after 2 days 2 nights struggling compiling gd-2.0.36RC1  and perl GD
> 2.5.2module in cygwin, 1.77,i stumbled upon this error :
> -----------------------------------------------------------
> make[1]: Entering directory `/home/Stellar/inn-STABLE-20100911/authprogs'
> gcc -g -O2 -I../include  -I/usr/include -c ckpasswd.c
> gcc -g -O2 -I../include    -c -o libauth.o libauth.c
> gcc  -o ckpasswd ckpasswd.o -lcrypt    -L/usr/lib -ldb libauth.o
> /home/Stellar/i
> nn-STABLE-20100911/lib/libinn.a
> ckpasswd.o: In function `password_dbm':
> /home/Stellar/inn-STABLE-20100911/authprogs/ckpasswd.c:165: undefined
> reference
> to `_dbm_open'
> /home/Stellar/inn-STABLE-20100911/authprogs/ckpasswd.c:170: undefined
> reference
> to `_dbm_fetch'
> /home/Stellar/inn-STABLE-20100911/authprogs/ckpasswd.c:177: undefined
> reference
> to `_dbm_close'
> /home/Stellar/inn-STABLE-20100911/authprogs/ckpasswd.c:172: undefined
> reference
> to `_dbm_close'
> collect2: ld returned 1 exit status
> make[1]: *** [ckpasswd] Error 1
> make[1]: Leaving directory `/home/Stellar/inn-STABLE-20100911/authprogs'
> make: *** [all-authprogs] Error 2
> ---------------------------------------------------------------------------------------------
(Continue reading)

Florian Schlichting | 15 Sep 17:28 2010
Picon
Picon

Re: count single \r or \n as \r\n while checking line length against MAXHEADERSIZE

Hi Julien,

On Tue, Aug 03, 2010 at 10:31:07PM +0200, Julien ÉLIE wrote:
> >I think the question should be, do we really need to reject articles
> >whose header line length exceeds 998 bytes?
> 
> We could accept them.
> 
> RFC 5536:
> 
>   o  Compliant software MUST NOT generate (but MAY accept) header field
>      lines of more than 998 octets.
> 
> 
> 
> >My patch made innd a little more permissive to accommodate for existing
> >articles created by broken clients. If innd really can handle header and
> >body lines of arbitrary length, we might consider dropping that kind of
> >check altogether (for innd, not for nnrpd of course). But since there
> >doesn't seem to be an actual need for this, we might rather leave things
> >as they are and thus prevent the eventual propagation of extraordinarily
> >broken articles and the bugs they might trigger in less robust servers
> >and clients.
> 
> I also agree with you.  Let's keep the check for the time being.

I'm having second thoughts on this issue. Today I noticed that 20-30
articles get rejected every day due to References: headers longer than
998 bytes (but almost always shorter than 1024 bytes) - current innd has
become more restrictive than most software in productive use! That's not good.
(Continue reading)

Sergey | 20 Sep 09:27 2010
Picon

Problem with "configure --with-filter-dir"

Hello.

I attempt to move filters to /etc. I try to use
"--with-filter-dir=/etc/news/filter", but it not works.
Filters are moved, but inn is not use it without symlink
/usr/lib/inn/filter -> /etc/news/filter. Is this a bug,
or I need of some another options ?

--

-- 
Regards,
Sergey
Sergey | 20 Sep 09:37 2010
Picon

[INN 2.4.5] Problem with "configure --with-filter-dir"

On Monday 20 September 2010, Sergey wrote:

> I try to use
> "--with-filter-dir=/etc/news/filter"

Version 2.4.5

--

-- 
Regards,
Sergey
Sergey | 20 Sep 14:05 2010
Picon

Re: [INN 2.4.5] Problem with "configure --with-filter-dir"

On Monday 20 September 2010, Sergey wrote:

> > I try to use
> > "--with-filter-dir=/etc/news/filter"
> 
> Version 2.4.5

Sorry, it's my fail: forgotten "pathfilter" in old innd.conf.

--

-- 
Regards,
Sergey
David E Mussulman | 22 Sep 19:31 2010

perl_access, 502 errors, and gracefully removing permissions

Hi gang,

Running INN 2.5.2 as an intranet newsgroup server.  We're using
perl_access to restrict access for users to read/post to various
newsgroups, and it's been working okay.

This week, I was asked to restrict read access to a newsgroup that had
been available to a larger audience.  I updated my perl authz stuff and
excluded that newsgroup from the read and post hashes; that part's
working fine.

However, now, when newsgroups readers who were previously subscribed to
that newsgroup try to connect, they're having problems with the GROUP
(or some other newsgroup access command) returns a "502 Read access
denied" error.

tin 1.8.3 dies after connecting (after auth but before showing its
newsgroup index)  It reports "read access denied". news.notice says
(after a bunch of group commands)

Sep 22 12:07:02 dcs-news1 nnrpd[20859]: columbia.cs.uiuc.edu can't read:
Connection reset by peer
Sep 22 12:07:02 dcs-news1 nnrpd[20859]: columbia.cs.uiuc.edu timeout

Thunderbird 3.1.2 Windows gives a popup: "A News (NNTP) error occurred:
Read access denied" and it seems inconsistent when it is able to pull
down other newsgroups versus that connection timing out.

I tested telnetting into the news server on port 119.  A 502 error on
the GROUP command does not terminate the connection (which seems to
(Continue reading)

Julien ÉLIE | 22 Sep 20:24 2010

Re: perl_access, 502 errors, and gracefully removing permissions

Hi David,

> However, now, when newsgroups readers who were previously subscribed to
> that newsgroup try to connect, they're having problems with the GROUP
> (or some other newsgroup access command) returns a "502 Read access
> denied" error.

That's a compliant generic answer.

   502:  It is necessary to terminate the connection and to start a new
         one with the appropriate authority before the command can be used.

We do not know whether a command is a given command (like "GROUP") or
a whole command with its possible arguments (like "GROUP news.group").
I assume it is a whole command line.

> tin 1.8.3 dies after connecting
>
> Thunderbird 3.1.2 Windows gives a popup: "A News (NNTP) error occurred:
> Read access denied" and it seems inconsistent when it is able to pull
> down other newsgroups versus that connection timing out.

That does not seem good.  Looks like a bug.
I have just contacted their authors to ask for information.

> I tested telnetting into the news server on port 119.  A 502 error on
> the GROUP command does not terminate the connection (which seems to
> follow the RFC), but it looks like some readers just can't handle that
> code in that place.

(Continue reading)

Mussulman, David E | 22 Sep 20:47 2010

Re: perl_access, 502 errors, and gracefully removing permissions

Hi Julien, thanks for the quick response.

On Wed, Sep 22, 2010 at 01:24:02PM -0500, Julien ÉLIE wrote:
> Hi David,
> 
> > However, now, when newsgroups readers who were previously subscribed to
> > that newsgroup try to connect, they're having problems with the GROUP
> > (or some other newsgroup access command) returns a "502 Read access
> > denied" error.
> 
> That's a compliant generic answer.
> 
>    502:  It is necessary to terminate the connection and to start a new
>          one with the appropriate authority before the command can be used.
> 
> 
> We do not know whether a command is a given command (like "GROUP") or
> a whole command with its possible arguments (like "GROUP news.group").
> I assume it is a whole command line.

Right, it's the whole command line.  "GROUP class.fa09.foobar" returns
the 502 Read access denied

> > I tested telnetting into the news server on port 119.  A 502 error on
> > the GROUP command does not terminate the connection (which seems to
> > follow the RFC), but it looks like some readers just can't handle that
> > code in that place.
> 
> Just to be sure:  is the newsgroup listed in response to "LIST ACTIVE"?
> (or "LIST ACTIVE newsgroup")
(Continue reading)


Gmane