From owner-freebsd-announce Tue Mar 12 6:28:15 2002 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 5C6F837B416; Tue, 12 Mar 2002 06:27:51 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2CERps64246; Tue, 12 Mar 2002 06:27:51 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 12 Mar 2002 06:27:51 -0800 (PST) Message-Id: <200203121427.g2CERps64246@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:14.pam-pgsql Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:14 Security Advisory FreeBSD, Inc. Topic: pam-pgsql port authentication bypass Category: ports Module: pam-pgsql Announced: 2002-03-12 Credits: Jacques A. Vidrine Affects: pam-pgsql port prior to pam-pgsql-0.5.2 Corrected: 2002-01-21 20:06:05 UTC FreeBSD only: NO I. Background pam-pgsql is a PAM module which allows PAM-enabled applications such as login(1) to use a PostgreSQL database for user authentication. II. Problem Description The affected versions of the pam-pgsql port contain a vulnerability that may allow a remote user to cause arbitrary SQL code to be executed. pam-pgsql constructs a SQL statement to be executed by the PostgreSQL server in order to lookup user information, verify user passwords, and change user passwords. The username and password given by the user is inserted into the SQL statement without any quoting or other safety checks. The pam-pgsql port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains thousands of third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A user interacting with a PAM-enabled application may insert arbitrary SQL code into the username or password fields during authentication or while changing passwords, leading to several exploit opportunities. In all versions of the pam-pgsql port prior to 0.5.2, attackers may add or change user account records. In addition, in versions of the pam-pgsql port prior to 0.3, attackers may cause pam-pgsql to completely bypass password authentication, allowing them to authenticate as any user and obtain unauthorized access using the PAM-enabled application. Since common PAM applications include login(1) and sshd(8), both local and remote attacks are possible. IV. Workaround 1) Deinstall the pam-pgsql port/package if you have it installed. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the port. 2) Download a new port skeleton for the pam-pgsql port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 3) Use the portcheckout utility to automate option (2) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD Ports Collection. Path Revision - ------------------------------------------------------------------------- ports/security/pam-pgsql/Makefile 1.9 ports/security/pam-pgsql/distinfo 1.3 ports/security/pam-pgsql/pkg-descr 1.2 - ------------------------------------------------------------------------- VII. References This vulnerability is very similar to previous vulnerabilities involving Apache modules and discovered by RUS-CERT. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCUAwUBPI4OwVUuHi5z0oilAQGXIgP4pJSV/n8+rQG8xj69zvyquOzjaYJW3aP3 0OvjTDmBh2NsB4y/3bxFzYnZnTH5reDEMtZnznpBGAElvibXesRN1f4NTaPa2mWo qpNF9ELBdNtGGqUZy6hm3kLjdgggpzTLP8luvt1tXdR4WRBgI48c8WxYxYd/u3oa g/gXHvFK2Q== =PWQc -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Mar 12 6:28:36 2002 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3A4DB37B41C; Tue, 12 Mar 2002 06:27:58 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2CERwo64322; Tue, 12 Mar 2002 06:27:58 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 12 Mar 2002 06:27:58 -0800 (PST) Message-Id: <200203121427.g2CERwo64322@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:15.cyrus-sasl Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:15 Security Advisory FreeBSD, Inc. Topic: cyrus-sasl library contains format string vulnerability Category: ports Module: cyrus-sasl Announced: 2002-03-12 Credits: Kari Hurtta Affects: cyrus-sasl port prior to cyrus-sasl-1.5.24_8 Corrected: 2001-12-09 03:07:36 UTC FreeBSD only: NO CVE: CAN-2001-0869 I. Background Cyrus-SASL is an implementation of RFC 2222 SASL (Simple Authentication and Security Layer), a method for adding authentication support to connection based protocols. II. Problem Description Affected versions of the cyrus-sasl port contain a format string vulnerability. The format string vulnerability occurs during a call to the syslog(3) function. The cyrus-sasl port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains thousands of third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 is vulnerable to this problem since it was discovered after its release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may cause an application using cyrus-sasl to execute arbitrary code with the privileges of the process using the cyrus-sasl library. However, there are no known exploits at this writing, and the author of cyrus-sasl does not believe that this bug is exploitable. See the `References' section for more information. If the cyrus-sasl port is not installed, then your system is not vulnerable to this problem. The following command can be used to determine whether or not the cyrus-sasl port is installed: # pkg_info -I cyrus-sasl-\* IV. Workaround Deinstall the cyrus-sasl port if you have installed it. V. Solution Do one of the following: 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old port and install a corrected version from the following directories. [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/ [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for cyrus-sasl from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/security/cyrus-sasl/Makefile 1.30 ports/security/cyrus-sasl/files/patch-lib::common.c 1.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPI4Ox1UuHi5z0oilAQEqfAQAm21BK3iBrye7YKOpNIe4HhWyLx5YyPs+ AEASVCg9J4n3vp//nhaOlpC9vQgdoBSX/vRDx5GCS8fkkw/l0R/KmTit1Kezahht ms4LbcSqjxKzscPBwT3ZJZt166z5JyUXkzVOsGbEG11WMgeH/jQ4oTG/Xk9cGWH9 r+BCSjm3phw= =VRs8 -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Mar 12 6:29:55 2002 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 90ACE37B41B; Tue, 12 Mar 2002 06:28:03 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2CES3e64408; Tue, 12 Mar 2002 06:28:03 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 12 Mar 2002 06:28:03 -0800 (PST) Message-Id: <200203121428.g2CES3e64408@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:16.netscape Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:16 Security Advisory FreeBSD, Inc. Topic: GIF/JPEG comment vulnerability in Netscape Category: ports Module: netscape Announced: 2002-03-12 Credits: Florian Wesch Affects: All Netscape ports with versions prior to 4.77 Corrected: 2001-04-07 16:41:36 UTC FreeBSD only: NO I. Background Netscape Navigator or Communicator is a popular web browser, available in several versions in the FreeBSD ports collection. II. Problem Description The GIF89a and JPEG standards permit images to have embedded comments, in which any kind of textual data may be stored. Versions 4.76 and earlier of the Netscape browser will execute JavaScript contained in such a comment block, if execution of JavaScript is enabled in the configuration of the browser. The Netscape browser supports a non-standard URL scheme, `about:'. Visiting `about:' URLs causes Navigator to display information which may be sensitive. For example, `about:global' gives a listing of recently accessed URLs; `about:cache' shows a similar listing, but with the time each page was visited and the name of each corresponding file in the disk cache; and `about:config' displays the full configuration of the browser. JavaScript executed from the comment block of a maliciously constructed image can send information from an `about:' URL back to a hostile Web server. The Netscape ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains thousands of third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.5 contains some Netscape versions which are vulnerable to these problems. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact The browser can be caused to transmit sensitive information to a hostile Web server, if JavaScript is enabled and a page on the server is visited. If you have not chosen to install a Netscape port or package, your system is not vulnerable to this problem. IV. Workarounds Do one of the following: 1) Deinstall affected Netscape ports or packages, if any are installed. 2) Disable JavaScript. This can be done interactively by running Navigator, going to the Edit menu, choosing Preferences, and changing the setting in the Advanced section. Alternatively, append the line: user_pref("javascript.enabled", false); to the $HOME/.netscape/preferences.js of every user. Users are likely to want to re-enable JavaScript, because its use is required by some Web sites. If they do, they could become vulnerable again. 3) Similarly, disable automatic loading of images. The corresponding configuration line is: user_pref("general.always_load_images", false); Some Web sites require images. If users enable automatic loading, or if they click the Images button, they could become vulnerable again. 4) Install a filtering proxy, and configure it to block all images from untrusted sites. The www/adzap or www/adzapper ports may be suitable. Doing this will make many Web sites unviewable. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the relevant Netscape port, if available. Netscape binaries for several platforms, including FreeBSD/i386, were discontinued before the release of 4.77. 2) Deinstall the old package and install a new package, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/ linux-netscape-communicator-4.79.tgz linux-netscape-navigator-4.79.tgz [alpha] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/ netscape-communicator-4.78.tgz 3) Download a new port skeleton for the Netscape port from: http://www.freebsd.org/ports/ and use it to rebuild the port. NOTE: Since there are so many variations of the Netscape ports in the FreeBSD ports collection they are not listed separately here. Localized versions are also available in the respective language subdirectory. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz VI. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPI4O0lUuHi5z0oilAQHv/AP+PQ4rd6932o1k3UJqc/+a6jdA5rD0LH1g GLki733Egvx7K7ChjjBO2mmHCRVsvIBy/dIU1rlX/YM5ncXT4Mpgm34eL6EzhjQq CD/733AIw2jEvSICBNeG3W1ytCzj4qBetjkXlj8/wbi/1f27jyj3kW+kVZ9TX20A gICIJdL948I= =al/K -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Mar 12 6:31: 2 2002 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id C649037B423; Tue, 12 Mar 2002 06:28:09 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2CES9q64473; Tue, 12 Mar 2002 06:28:09 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 12 Mar 2002 06:28:09 -0800 (PST) Message-Id: <200203121428.g2CES9q64473@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:17.mod_frontpage Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:17 Security Advisory FreeBSD, Inc. Topic: mod_frontpage port contains exploitable buffer overflow Category: ports Module: mod_frontpage Announced: 2002-03-12 Credits: Martin Blapp Affects: mod_frontpage port prior to version mod_portname-1.6.1 Corrected: 2002-02-05 16:18:42 2002 UTC FreeBSD only: NO I. Background mod_frontpage is a replacecement for Microsoft's frontpage apache patch to support FP extensions. It is installed as a DSO module. II. Problem Description Affected versions of the mod_frontpage port contains several exploitable buffer overflows in the fpexec wrapper, which is installed setuid root. The mod_frontpage port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.5 contains this security problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A local attacker may obtain superuser privileges by exploiting the buffer overflow bugs in fpexec. IV. Workaround 1) Deinstall the mod_frontpage ports/packages if you have them installed. V. Solution Do one of the following: 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/ [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. 3) Download a new port skeleton for the mod_frontpage port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz VI. Correction details The following list contains the $FreeBSD$ revision numbers of each file that was corrected in the FreeBSD source. Path Revision - ------------------------------------------------------------------------- ports/www/mod_frontpage/Makefile 1.7 ports/www/mod_frontpage/distinfo 1.4 ports/www/mod_frontpage/files/patch-Makefile.PL 1.3 ports/www/mod_frontpage/files/patch-Makefile.in 1.1 ports/www/mod_frontpage/files/patch-mod_frontpage.c 1.4 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPI4O11UuHi5z0oilAQF43wQAlp8eUBSGRLb1ggNxDVwzvB40ZEOWrIB0 6P3xIvUW6bFXsHgrBm+WuF7evUm8K85hs1QPp4nDUSdgWArxP9izdSXMKsJ0rtkA RAeDMgpMOsDoQaKl9ljDVFbf9xs3hTO6S3UsRaRuQeTvcqhsKRZNbUvOVrAULEOG GZ6n2CFh+Rk= =sCnv -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message