FreeBSD Security Advisories
2002-Apr-05 07:28 UTC
FreeBSD Security Notice FreeBSD-SN-02:01
-----BEGIN PGP SIGNED MESSAGE----- ============================================================================FreeBSD-SN-02:01 Security Notice FreeBSD, Inc. Topic: security issues in ports Announced: 2002-03-30 I. Introduction Several ports in the FreeBSD Ports Collection are affected by security issues. These are listed below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. These ports are not installed by default, nor are they ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See <URL:http://www.freebsd.org/ports/> for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: acroread, acroread-chsfont, acroread-chtfont, acroread-commfont, acroread4, linux-mozilla, linux-netscape6, linux_base, linux_base-7 Affected: versions < linux_base-6.1_1 (linux_base port) versions < linux_base-7.1_2 (linux_base-7 port) versions < linux_mozilla-0.9.9_1 all versions of all acroread ports all versions of linux-netscape6 Status: Fixed: linux_base, linux_base-7, linux-mozilla. Not fixed: acroread, acroread-chsfont, acroread-chtfont, acroread-commfont, acroread4, linux-netscape6. These Linux binaries utilize versions of zlib which may contain an exploitable double-free bug. <URL:http://www.redhat.com/support/errata/RHSA-2002-026.html> <URL:http://www.mozilla.org/releases/mozilla0.9.9/> <URL:http://www.redhat.com/support/errata/RHSA-2002-027.html> <URL:http://www.gzip.org/zlib/advisory-2002-03-11.txt> <URL:http://online.securityfocus.com/archive/1/261205> <URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:18.zlib.asc> +------------------------------------------------------------------------+ Port name: apache13-ssl, apache13-modssl Affected: all versions of apache+ssl all versions of apache+mod_ssl Status: Not yet fixed. Buffer overflows in SSL session cache handling. <URL:http://www.apache-ssl.org/advisory-20020301.txt> <URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html> +------------------------------------------------------------------------+ Port name: bulk_mailer Affected: all versions Status: Not yet fixed. Buffer overflows, temporary file race. <URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=112007> +------------------------------------------------------------------------+ Port name: cups, cups-base, cups-lpr Affected: versions < cups-1.1.14 versions < cups-base-1.1.14 versions < cups-lpr-1.1.14 Status: Fixed. Buffer overflows in IPP code. <URL:http://www.cups.org/news.php?V66> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0063> +------------------------------------------------------------------------+ Port name: fileutils Affected: all versions Status: Not yet fixed. Race condition in directory removal. <URL:http://online.securityfocus.com/bind/4266> +------------------------------------------------------------------------+ Port name: imlib Affected: versions < imlib-1.9.13 Status: Fixed. Heap corruption in image handling. <URL:http://online.securityfocus.com/bid/4336> +------------------------------------------------------------------------+ Port name: listar, ecartis Affected: versions < ecartis-1.0.0b all versions of listar Status: Fixed: ecartis. Not fixed: listar. Local and remote buffer overflows, incorrect privilege handling. <URL:http://online.securityfocus.com/bid/4176> <URL:http://online.securityfocus.com/bid/4277> <URL:http://online.securityfocus.com/bid/4271> +------------------------------------------------------------------------+ Port name: mod_php3, mod_php4 Affected: versions < mod_php3-3.0.18_3 versions < mod_php4-4.1.2 Status: Fixed. Vulnerabilities in file upload handling. <URL:http://security.e-matters.de/advisories/012002.html> +------------------------------------------------------------------------+ Port name: ntop Affected: all versions Status: Not yet fixed. Remote format string vulnerability. <URL:http://packetstormsecurity.nl/advisories/misc/H20020304.txt> <URL:http://online.securityfoucs.com/bid/4225> +------------------------------------------------------------------------+ Port name: rsync Affected: versions < rsync-2.5.4 Status: Fixed. Incorrect group privilege handling, zlib double-free bug. <URL:http://online.securityfocus.com/bid/4285> <URL:http://www.rsync.org/> +------------------------------------------------------------------------+ Port name: xchat, xchat-devel Affected: all versions Status: Not yet fixed. Malicious server may cause xchat to execute arbitrary commands. <URL:http://online.securityfocus.com/archive/1/264380> +------------------------------------------------------------------------+ III. Upgrading Ports/Packages Do one of the following: 1) Upgrade your Ports Collection and rebuild and reinstall the port. Several tools are available in the Ports Collection to make this easier. See: /usr/ports/devel/portcheckout /usr/ports/misc/porteasy /usr/ports/sysutils/portupgrade 2) Deinstall the old package and install a new package obtained from [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ Packages are not automatically generated for other architectures at this time. +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at <security-officer@FreeBSD.org>. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPK28lVUuHi5z0oilAQGUuQP/aBo4NQLKF4qiFxvy6+Z0FyMGChECbZYr 3TR2OLdPks0xuoIgbpPAstrTeFbCRe7m59zCibdbRCpUd167QAUEF72nICmcQmYa +ZEFGUHcMxNg09LUd7MxDg1LbczBX7L1SFKFaZOCGuzPa6SrsbvPFbXO7hUu+nSI nH5M1Y1F9rk=hHhx -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message