From owner-freebsd-security Fri Jan 4 21:56:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from scrabble.freeuk.net (scrabble.freeuk.net [212.126.144.6]) by hub.freebsd.org (Postfix) with ESMTP id 4B79F37B41B for ; Fri, 4 Jan 2002 21:56:45 -0800 (PST) Received: from adsl-solo-39-36.claranet.co.uk ([213.253.39.36] helo=myname.my.domain) by scrabble.freeuk.net with esmtp (Exim 3.33 #1) id 16Mjos-0000EZ-00 for security@FreeBSD.ORG; Sat, 05 Jan 2002 05:56:38 +0000 Received: (from alex@localhost) by myname.my.domain (8.11.6/8.11.3) id g0564QE09349 for security@FreeBSD.ORG; Sat, 5 Jan 2002 06:04:26 GMT (envelope-from alex) Date: Sat, 5 Jan 2002 06:04:26 +0000 From: "Aleksandar Simic'" To: security@FreeBSD.ORG Subject: Re: Security advisory SA-02:04 typo? Message-ID: <20020105060426.A9217@frustum.clara.co.uk> References: <3C35F700.20238.29BF6BB@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C35F700.20238.29BF6BB@localhost>; from pjklist@ekahuna.com on Fri, Jan 04, 2002 at 06:40:00PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jan 04, 2002 at 06:40:00PM -0800, Philip J. Koenig wrote: [...] > > The mutt ports, versions prior to mutt-1.2.25_1 and > > mutt-devel-1.3.24_2, contain a buffer overflow in the handling of > > email addresses in headers. > > > Shall I assume the "1.2.25_1" string above is a typo? Is it really > the versions prior to 1.2.5_1? Because I would think 1.2.2x seems to > be pretty old at this point. Good point, and what about the actual package names ? In the advisory the following URLs are listed as fixed packages: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/mutt-1.2.5_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/mutt-devel-1.3.24_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/mutt-1.2.5_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/mutt-devel-1.3.24_2.tgz from ftp.freebsd.org -------------------- ftp> pwd 257 "/pub/FreeBSD/ports/i386/packages-4-stable/mail" ftp> ls mutt* mutt-1.2.5.tgz -> ../All/mutt-1.2.5.tgz mutt-devel-1.3.24_1.tgz -> ../All/mutt-devel-1.3.24_1.tgz ftp> pwd 257 "/pub/FreeBSD/ports/i386/packages-5-current/mail" ftp> ls mutt* mutt-1.2.5.tgz -> ../All/mutt-1.2.5.tgz mutt-devel-1.3.24_1.tgz -> ../All/mutt-devel-1.3.24_1.tgz not mutt-1.2.5_1.tgz but mutt-1.2.5.tgz is found. ^^ ^ The same is with mutt-devel-1.3.24_2.tgz, as only ^^ mutt-devel-1.3.24_1.tgz is listed. ^^ So is mutt-1.2.5_1.tgz the same as mutt-1.2.5.tgz ? And is mutt-devel-1.3.24_2.tgz the same as mutt-devel-1.3.24_1.tgz ? Thanks, --Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message