From owner-freebsd-security@FreeBSD.ORG Thu Oct 18 20:54:31 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A81116A41A for ; Thu, 18 Oct 2007 20:54:31 +0000 (UTC) (envelope-from question@closedsrc.org) Received: from dalek.closedsrc.org (dalek.closedsrc.org [72.1.133.20]) by mx1.freebsd.org (Postfix) with ESMTP id 23C8D13C448 for ; Thu, 18 Oct 2007 20:54:29 +0000 (UTC) (envelope-from question@closedsrc.org) Received: by dalek.closedsrc.org (Postfix, from userid 5000) id 4512CCF08A; Thu, 18 Oct 2007 13:44:04 -0700 (PDT) Date: Thu, 18 Oct 2007 13:44:04 -0700 From: Linh Pham To: freebsd-security@freebsd.org Message-ID: <20071018204404.GA95280@dalek.internal.closedsrc.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline Organization: closedsrc.org Mail-Copies-To: poster X-PGP-Key: http://closedsrc.org/~question/pubkey.asc User-Agent: Mutt/1.5.16 (2007-06-09) X-Mailman-Approved-At: Thu, 18 Oct 2007 21:01:34 +0000 Cc: nick@foobar.org Subject: www/drupal4 and www/drupal5: Multiple security vulnerabilities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Oct 2007 20:54:31 -0000 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable The Drupal project announced several security vulnerabilities for the 4.7.x and 5.x releases of the Drupal package. These effect two current ports: www/drupal4 and www/drupal5. The following are the security advisories that were posted: 4.7.x: * DRUPAL-SA-2007-024: http://drupal.org/node/184315 * DRUPAL-SA-2007-026: http://drupal.org/node/184320 * DRUPAL-SA-2007-030: http://drupal.org/node/184354 5.x: * DRUPAL-SA-2007-024: http://drupal.org/node/184315 * DRUPAL-SA-2007-025: http://drupal.org/node/184316 * DRUPAL-SA-2007-026: http://drupal.org/node/184320 * DRUPAL-SA-2007-029: http://drupal.org/node/184348 * DRUPAL-SA-2007-030: http://drupal.org/node/184354 While patches are available for 4.7.7 and 5.2, they recommend an update to the latest version of the respective branches (4.7.8 and 5.3). --=20 Linh Pham question@closedsrc.org http://closedsrc.org/ --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHF8WUwhofDeWkDMIRAp1CAJ4nh5WAliaDhXVqaZEKfKz4sBG9cACeJgcp ZOjLIt2GXDNThUGIHIpcPso= =A9oh -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 18 22:54:02 2007 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5C2616A420; Thu, 18 Oct 2007 22:54:02 +0000 (UTC) (envelope-from simon@benji.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id A8F1D13C48D; Thu, 18 Oct 2007 22:54:01 +0000 (UTC) (envelope-from simon@benji.nitro.dk) Received: from benji.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id 518DC1E8C13; Thu, 18 Oct 2007 22:37:14 +0000 (UTC) Received: by benji.nitro.dk (Postfix, from userid 2000) id 44C29FE79; Fri, 19 Oct 2007 00:37:25 +0200 (CEST) Date: Fri, 19 Oct 2007 00:37:24 +0200 From: "Simon L. Nielsen" To: freebsd-current@freebsd.org, freebsd-stable@FreeBSD.org Message-ID: <20071018223724.GA987@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="yrj/dFKFPuw6o+aM" Content-Disposition: inline User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@FreeBSD.org Subject: [simon@FreeBSD.org: cvs commit: src/crypto/openssl/ssl d1_both.c dtls1.h ssl.h ssl_err.c] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-current@freebsd.org, simon@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Oct 2007 22:54:02 -0000 --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hey, RELENG_7 isn't -STABLE yet, so the issue mention in the commit mail beolow will not get a Security Advisory. This only affects applications using DTLS, and I doubt there are many of those, but users should still upgrade to get this fix, just in case. See the OpenSSL advisory for some more details: http://www.openssl.org/news/secadv_20071012.txt If anybody were wondering, and hadn't checked the OpenSSL advisory: older versions of FreeBSD aren't affected as they have OpenSSL 0.9.7 which isn't affected (it doesn't have DTLS support). ----- Forwarded message from "Simon L. Nielsen" ----- =46rom: "Simon L. Nielsen" Date: Thu, 18 Oct 2007 22:20:04 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/crypto/openssl/ssl d1_both.c dtls1.h ssl.h ssl_err.c simon 2007-10-18 22:20:04 UTC FreeBSD src repository Modified files: (Branch: RELENG_7) crypto/openssl/ssl d1_both.c dtls1.h ssl.h ssl_err.c=20 Log: MFC: Import DTLS security fix from upstream OpenSSL_0_9_8-stable branch. =20 Security: CVE-2007-4995 Security: http://www.openssl.org/news/secadv_20071012.txt Approved by: re (kensmith) =20 Revision Changes Path 1.1.1.1.2.1 +533 -605 src/crypto/openssl/ssl/d1_both.c 1.1.1.1.2.1 +3 -4 src/crypto/openssl/ssl/dtls1.h 1.1.1.16.2.1 +1 -0 src/crypto/openssl/ssl/ssl.h 1.1.1.11.2.1 +1 -0 src/crypto/openssl/ssl/ssl_err.c ----- End forwarded message ----- --=20 Simon L. Nielsen FreeBSD Deputy Security Officer --yrj/dFKFPuw6o+aM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFHF+AkBJx0gP90kKsRAoFUAJ9zipHwlRUf6Hv10pAOMoe9HedTfQCfcou6 +3RFPlWCxEwhRu0gf3R/Miw= =3yB7 -----END PGP SIGNATURE----- --yrj/dFKFPuw6o+aM-- From owner-freebsd-security@FreeBSD.ORG Fri Oct 19 01:10:02 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FEE816A419 for ; Fri, 19 Oct 2007 01:10:02 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mo2so.prod.shaw.ca (idcmail-mo1so.shaw.ca [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id E6CBD13C44B for ; Fri, 19 Oct 2007 01:09:49 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mr1so.prod.shaw.ca (pd2mr1so-qfe3.prod.shaw.ca [10.0.141.110]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JQ400I42WIOEB20@l-daemon> for freebsd-security@freebsd.org; Thu, 18 Oct 2007 19:08:48 -0600 (MDT) Received: from pn2ml10so.prod.shaw.ca ([10.0.121.80]) by pd2mr1so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JQ4003DEWIO2H30@pd2mr1so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 18 Oct 2007 19:08:48 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.201.197]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JQ400GOAWINGW81@l-daemon> for freebsd-security@freebsd.org; Thu, 18 Oct 2007 19:08:47 -0600 (MDT) Received: (qmail 2260 invoked from network); Fri, 19 Oct 2007 01:08:33 +0000 Received: from unknown (HELO hexahedron.daemonology.net) (127.0.0.1) by localhost with SMTP; Fri, 19 Oct 2007 01:08:33 +0000 Date: Thu, 18 Oct 2007 18:08:32 -0700 From: FreeBSD Security Officer To: freebsd security , FreeBSD Stable Message-id: <47180390.8000606@freebsd.org> Organization: FreeBSD Project MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.95.0 User-Agent: Thunderbird 2.0.0.6 (X11/20070812) Cc: Subject: FreeBSD 6.2 EoL =~ s/January/May/ X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2007 01:10:02 -0000 Hello Everyone, In light of the longer-than-expected window between 6.2-RELEASE and 6.2-RELEASE, the End-of-Life date for FreeBSD 6.2 has been adjusted from January 31st, 2008 to May 31st, 2008. As a result, FreeBSD 5.5, FreeBSD 6.1, and FreeBSD 6.2 will all cease to be supported at the end of May 2008. FreeBSD users should plan on upgrading to either FreeBSD 6.3 or FreeBSD 7.0 once those have been released (hopefully by the end of December). FreeBSD 6.3 will be supported until the end of 2009, while FreeBSD 7.0 will be supported until the end of 2008. Colin Percival FreeBSD Security Officer From owner-freebsd-security@FreeBSD.ORG Fri Oct 19 01:38:45 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3265D16A41B for ; Fri, 19 Oct 2007 01:38:45 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo2so.prod.shaw.ca (idcmail-mo1so.shaw.ca [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id 0BBE813C46E for ; Fri, 19 Oct 2007 01:38:45 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mr5so.prod.shaw.ca (pd4mr5so-qfe3.prod.shaw.ca [10.0.141.50]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JQ400148XW97R30@l-daemon> for freebsd-security@freebsd.org; Thu, 18 Oct 2007 19:38:33 -0600 (MDT) Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145]) by pd4mr5so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JQ400C6XXW91J30@pd4mr5so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 18 Oct 2007 19:38:33 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.201.197]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JQ4005KKXW74741@l-daemon> for freebsd-security@freebsd.org; Thu, 18 Oct 2007 19:38:32 -0600 (MDT) Received: (qmail 2333 invoked from network); Fri, 19 Oct 2007 01:38:18 +0000 Received: from unknown (HELO hexahedron.daemonology.net) (127.0.0.1) by localhost with SMTP; Fri, 19 Oct 2007 01:38:18 +0000 Date: Thu, 18 Oct 2007 18:38:17 -0700 From: Colin Percival In-reply-to: <47180390.8000606@freebsd.org> To: security-officer@freebsd.org Message-id: <47180A89.9070400@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.95.0 References: <47180390.8000606@freebsd.org> User-Agent: Thunderbird 2.0.0.6 (X11/20070812) Cc: freebsd security , FreeBSD Stable Subject: Re: FreeBSD 6.2 EoL =~ s/January/May/ X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2007 01:38:45 -0000 FreeBSD Security Officer wrote: > Hello Everyone, > > In light of the longer-than-expected window between 6.2-RELEASE and 6.2-RELEASE, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This should read "between 6.2-RELEASE and 6.3-RELEASE", of course... > the End-of-Life date for FreeBSD 6.2 has been adjusted from January 31st, 2008 > to May 31st, 2008. As a result, FreeBSD 5.5, FreeBSD 6.1, and FreeBSD 6.2 will > all cease to be supported at the end of May 2008. > > FreeBSD users should plan on upgrading to either FreeBSD 6.3 or FreeBSD 7.0 once > those have been released (hopefully by the end of December). FreeBSD 6.3 will > be supported until the end of 2009, while FreeBSD 7.0 will be supported until > the end of 2008. > > Colin Percival > FreeBSD Security Officer From owner-freebsd-security@FreeBSD.ORG Fri Oct 19 02:01:13 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7408516A420 for ; Fri, 19 Oct 2007 02:01:13 +0000 (UTC) (envelope-from nick@foobar.org) Received: from gran.netsource.ie (gran.netsource.ie [212.17.32.37]) by mx1.freebsd.org (Postfix) with ESMTP id 34D4413C48D for ; Fri, 19 Oct 2007 02:01:12 +0000 (UTC) (envelope-from nick@foobar.org) Received: from 87-198-16-4.ptr.magnet.ie ([87.198.16.4] helo=crumpet.foobar.org) by gran.netsource.ie with esmtp (Exim 3.36 #1) id 1Iievl-00037A-00; Fri, 19 Oct 2007 00:37:33 +0100 Message-ID: <4717EE3C.3050205@foobar.org> Date: Fri, 19 Oct 2007 00:37:32 +0100 From: Nick Hilliard User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Linh Pham References: <20071018204404.GA95280@dalek.internal.closedsrc.org> In-Reply-To: <20071018204404.GA95280@dalek.internal.closedsrc.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 19 Oct 2007 03:07:59 +0000 Cc: freebsd-security@freebsd.org Subject: Re: www/drupal4 and www/drupal5: Multiple security vulnerabilities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2007 02:01:13 -0000 Linh Pham wrote: > The Drupal project announced several security vulnerabilities for the > 4.7.x and 5.x releases of the Drupal package. These effect two current > ports: www/drupal4 and www/drupal5. > > The following are the security advisories that were posted: > > 4.7.x: > * DRUPAL-SA-2007-024: http://drupal.org/node/184315 > * DRUPAL-SA-2007-026: http://drupal.org/node/184320 > * DRUPAL-SA-2007-030: http://drupal.org/node/184354 > > 5.x: > * DRUPAL-SA-2007-024: http://drupal.org/node/184315 > * DRUPAL-SA-2007-025: http://drupal.org/node/184316 > * DRUPAL-SA-2007-026: http://drupal.org/node/184320 > * DRUPAL-SA-2007-029: http://drupal.org/node/184348 > * DRUPAL-SA-2007-030: http://drupal.org/node/184354 > > While patches are available for 4.7.7 and 5.2, they recommend an update > to the latest version of the respective branches (4.7.8 and 5.3). I emailed security-team@ earlier today with patches for the vuxml database, and will get patches for 4.7.8 and 5.3 in the next day or two. Nick From owner-freebsd-security@FreeBSD.ORG Sat Oct 20 04:46:00 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1142816A418 for ; Sat, 20 Oct 2007 04:46:00 +0000 (UTC) (envelope-from cmdlnkid@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.freebsd.org (Postfix) with ESMTP id B136713C45A for ; Sat, 20 Oct 2007 04:45:59 +0000 (UTC) (envelope-from cmdlnkid@gmail.com) Received: by py-out-1112.google.com with SMTP id u77so1424434pyb for ; Fri, 19 Oct 2007 21:45:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:date:from:reply-to:to:cc:subject:in-reply-to:message-id:references:x-openpgp-key:mime-version:content-type; bh=ojosHsHqZpX9D/YagEr70FxaVLdRXfe6xpfqfA7PVb4=; b=sl6K4Dr4Lqu5j/zresymvhQjsr9MRXtvEingzgFJ4UjGjiwfmnXKoPL5YCxefw5AafKQN12nRV4VmPmMWewFu1mdGARddnaY7vgV+zm7V8GRfIsU+zJsaQ8XINlLD1DI1Fs0o6hs0RUuHqjW+2pN7KdKGm2U8nXey3GjZytRwYY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:from:reply-to:to:cc:subject:in-reply-to:message-id:references:x-openpgp-key:mime-version:content-type; b=iI50hywr934HWgtV59G8UR4LkRxmw/XiKXgyT3/MhCimG3OcRtuMnBnQwq8dMfzd2nKpD12fujlOz9ydzUqTefW0+7kBRj1wbk4Y1uZgZCeQJQEVJNfD+MbiJRUAsYyjTA9IFjXaRIOmWQqgN1FWzhFAKsp9R/nSaJxNb0aTdik= Received: by 10.64.199.2 with SMTP id w2mr4904232qbf.1192853896028; Fri, 19 Oct 2007 21:18:16 -0700 (PDT) Received: from ppp-21.144.dialinfree.com ( [209.172.21.144]) by mx.google.com with ESMTPS id q13sm769034qbq.2007.10.19.21.18.11 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 19 Oct 2007 21:18:14 -0700 (PDT) Date: Sat, 20 Oct 2007 00:17:58 -0400 From: CmdLnKid To: Linh Pham In-Reply-To: <20071018204404.GA95280@dalek.internal.closedsrc.org> Message-ID: <20071020001527.B8089@cbynevgl.hper> References: <20071018204404.GA95280@dalek.internal.closedsrc.org> X-OpenPGP-Key: 0xDFFDD218 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Sat, 20 Oct 2007 11:36:42 +0000 Cc: FreeBSD-Security Subject: Re: www/drupal4 and www/drupal5: Multiple security vulnerabilities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: CmdLnKid List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Oct 2007 04:46:00 -0000 On Thu, 18 Oct 2007 13:44 -0700, question wrote: > The Drupal project announced several security vulnerabilities for the > 4.7.x and 5.x releases of the Drupal package. These effect two current > ports: www/drupal4 and www/drupal5. > > The following are the security advisories that were posted: > > 4.7.x: > * DRUPAL-SA-2007-024: http://drupal.org/node/184315 > * DRUPAL-SA-2007-026: http://drupal.org/node/184320 > * DRUPAL-SA-2007-030: http://drupal.org/node/184354 > > 5.x: > * DRUPAL-SA-2007-024: http://drupal.org/node/184315 > * DRUPAL-SA-2007-025: http://drupal.org/node/184316 > * DRUPAL-SA-2007-026: http://drupal.org/node/184320 > * DRUPAL-SA-2007-029: http://drupal.org/node/184348 > * DRUPAL-SA-2007-030: http://drupal.org/node/184354 > > While patches are available for 4.7.7 and 5.2, they recommend an update > to the latest version of the respective branches (4.7.8 and 5.3). > PS: This isn't FreeBSD specific (...) -> *ports*@ -> *maintainer*@ -- - (2^(N-1))