From owner-freebsd-ports  Thu Sep 21 18: 0: 9 2000
Delivered-To: freebsd-ports@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 21A7237B443
	for <freebsd-ports@FreeBSD.org>; Thu, 21 Sep 2000 18:00:03 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id SAA18784;
	Thu, 21 Sep 2000 18:00:03 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id CA93237B440; Thu, 21 Sep 2000 17:56:48 -0700 (PDT)
Message-Id: <20000922005648.CA93237B440@hub.freebsd.org>
Date: Thu, 21 Sep 2000 17:56:48 -0700 (PDT)
From: kris@FreeBSD.org
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: ports/21464: linux_base port installs insecure glibc rpm
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         21464
>Category:       ports
>Synopsis:       linux_base port installs insecure glibc rpm
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 21 18:00:02 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Kris Kennaway
>Release:        
>Organization:
>Environment:
>Description:
The linux_base port installs an out of date RPM which has security
vulnerabilities when used with privileged applications. By default
no such applications are installed by the linux compatability ports,
but there may be others in the ports tree which I don't know about.

An updated glibc rpm is available but it is only in the redhat 6.2
directories on the redhat mirror sites. The port currently installs
redhat 6.1 rpms, although the newer glibc rpm is apparently suitable
for 6.1 as well.

The redhat advisory is available at
http://www.redhat.com/support/errata/RHSA-2000-057-04.html
which points to the fixed glibc rpm.

I'm not sure if we currently install other vulnerable RPMs - the
redhat security advisories should be checked at
http://www.redhat.com/apps/support/updates.html
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message