CVE-2002-1159

Vulnerability

Canna version 3.6 and earlier contains a flaw in request validation. The software does not properly validate incoming requests, which can lead to memory corruption or unintended data disclosure. This affects the Canna server component as used in Red Hat Linux and Debian distributions. The vulnerability is present in all versions up to and including 3.6 [1][2][3][4].

Exploitation

An attacker can exploit this vulnerability without authentication by sending specially crafted requests to the Canna server over the network. No special privileges or user interaction are required; simply sending malicious input to the listening service triggers the flaw.

Impact

Successful exploitation can result in a denial of service (service crash or hang) or an information leak, where the attacker may be able to read portions of server memory. This compromises availability and confidentiality of the affected system.

Mitigation

Red Hat released updates in RHSA-2002:246 (for Red Hat Linux 7.0, 7.1, 7.2, 7.3) and RHSA-2002:261 (for Red Hat Linux 6.2) that fix this issue. Debian also published an advisory (DSA 224-1) and provided updated packages for the stable distribution (woody). Users should upgrade to the corrected Canna server packages [1][2][3][4].