FreeBSD Security Notice FreeBSD-SN-02:01
FreeBSD Security Advisories
security-advisories at FreeBSD.org
Fri Apr 5 07:28:40 PST 2002
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SN-02:01 Security Notice
FreeBSD, Inc.
Topic: security issues in ports
Announced: 2002-03-30
I. Introduction
Several ports in the FreeBSD Ports Collection are affected by security
issues. These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
These ports are not installed by default, nor are they ``part of
FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format. FreeBSD makes
no claim about the security of these third-party applications. See
<URL:http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.
II. Ports
+------------------------------------------------------------------------+
Port name: acroread, acroread-chsfont, acroread-chtfont,
acroread-commfont, acroread4, linux-mozilla,
linux-netscape6, linux_base, linux_base-7
Affected: versions < linux_base-6.1_1 (linux_base port)
versions < linux_base-7.1_2 (linux_base-7 port)
versions < linux_mozilla-0.9.9_1
all versions of all acroread ports
all versions of linux-netscape6
Status: Fixed: linux_base, linux_base-7, linux-mozilla.
Not fixed: acroread, acroread-chsfont, acroread-chtfont,
acroread-commfont, acroread4, linux-netscape6.
These Linux binaries utilize versions of zlib which may contain an
exploitable double-free bug.
<URL:http://www.redhat.com/support/errata/RHSA-2002-026.html>
<URL:http://www.mozilla.org/releases/mozilla0.9.9/>
<URL:http://www.redhat.com/support/errata/RHSA-2002-027.html>
<URL:http://www.gzip.org/zlib/advisory-2002-03-11.txt>
<URL:http://online.securityfocus.com/archive/1/261205>
<URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:18.zlib.asc>
+------------------------------------------------------------------------+
Port name: apache13-ssl, apache13-modssl
Affected: all versions of apache+ssl
all versions of apache+mod_ssl
Status: Not yet fixed.
Buffer overflows in SSL session cache handling.
<URL:http://www.apache-ssl.org/advisory-20020301.txt>
<URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html>
+------------------------------------------------------------------------+
Port name: bulk_mailer
Affected: all versions
Status: Not yet fixed.
Buffer overflows, temporary file race.
<URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=112007>
+------------------------------------------------------------------------+
Port name: cups, cups-base, cups-lpr
Affected: versions < cups-1.1.14
versions < cups-base-1.1.14
versions < cups-lpr-1.1.14
Status: Fixed.
Buffer overflows in IPP code.
<URL:http://www.cups.org/news.php?V66>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0063>
+------------------------------------------------------------------------+
Port name: fileutils
Affected: all versions
Status: Not yet fixed.
Race condition in directory removal.
<URL:http://online.securityfocus.com/bind/4266>
+------------------------------------------------------------------------+
Port name: imlib
Affected: versions < imlib-1.9.13
Status: Fixed.
Heap corruption in image handling.
<URL:http://online.securityfocus.com/bid/4336>
+------------------------------------------------------------------------+
Port name: listar, ecartis
Affected: versions < ecartis-1.0.0b
all versions of listar
Status: Fixed: ecartis.
Not fixed: listar.
Local and remote buffer overflows, incorrect privilege handling.
<URL:http://online.securityfocus.com/bid/4176>
<URL:http://online.securityfocus.com/bid/4277>
<URL:http://online.securityfocus.com/bid/4271>
+------------------------------------------------------------------------+
Port name: mod_php3, mod_php4
Affected: versions < mod_php3-3.0.18_3
versions < mod_php4-4.1.2
Status: Fixed.
Vulnerabilities in file upload handling.
<URL:http://security.e-matters.de/advisories/012002.html>
+------------------------------------------------------------------------+
Port name: ntop
Affected: all versions
Status: Not yet fixed.
Remote format string vulnerability.
<URL:http://packetstormsecurity.nl/advisories/misc/H20020304.txt>
<URL:http://online.securityfoucs.com/bid/4225>
+------------------------------------------------------------------------+
Port name: rsync
Affected: versions < rsync-2.5.4
Status: Fixed.
Incorrect group privilege handling, zlib double-free bug.
<URL:http://online.securityfocus.com/bid/4285>
<URL:http://www.rsync.org/>
+------------------------------------------------------------------------+
Port name: xchat, xchat-devel
Affected: all versions
Status: Not yet fixed.
Malicious server may cause xchat to execute arbitrary commands.
<URL:http://online.securityfocus.com/archive/1/264380>
+------------------------------------------------------------------------+
III. Upgrading Ports/Packages
Do one of the following:
1) Upgrade your Ports Collection and rebuild and reinstall the port.
Several tools are available in the Ports Collection to make this
easier. See:
/usr/ports/devel/portcheckout
/usr/ports/misc/porteasy
/usr/ports/sysutils/portupgrade
2) Deinstall the old package and install a new package obtained from
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/
Packages are not automatically generated for other architectures at
this time.
+------------------------------------------------------------------------+
FreeBSD Security Notices are communications from the Security Officer
intended to inform the user community about potential security issues,
such as bugs in the third-party applications found in the Ports
Collection, which will not be addressed in a FreeBSD Security
Advisory.
Feedback on Security Notices is welcome at <security-officer at FreeBSD.org>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPK28lVUuHi5z0oilAQGUuQP/aBo4NQLKF4qiFxvy6+Z0FyMGChECbZYr
3TR2OLdPks0xuoIgbpPAstrTeFbCRe7m59zCibdbRCpUd167QAUEF72nICmcQmYa
+ZEFGUHcMxNg09LUd7MxDg1LbczBX7L1SFKFaZOCGuzPa6SrsbvPFbXO7hUu+nSI
nH5M1Y1F9rk=
=hHhx
-----END PGP SIGNATURE-----
This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at http://www.freebsd.org
To Unsubscribe: send mail to majordomo at FreeBSD.org
with "unsubscribe freebsd-announce" in the body of the message
More information about the freebsd-announce
mailing list