From owner-freebsd-announce Fri Apr 5 7:28:40 2002 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 220BA37BB96; Fri, 5 Apr 2002 07:26:36 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g35FCOr11637; Fri, 5 Apr 2002 07:12:24 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Fri, 5 Apr 2002 07:12:24 -0800 (PST) Message-Id: <200204051512.g35FCOr11637@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Notice FreeBSD-SN-02:01 Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SN-02:01 Security Notice FreeBSD, Inc. Topic: security issues in ports Announced: 2002-03-30 I. Introduction Several ports in the FreeBSD Ports Collection are affected by security issues. These are listed below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. These ports are not installed by default, nor are they ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: acroread, acroread-chsfont, acroread-chtfont, acroread-commfont, acroread4, linux-mozilla, linux-netscape6, linux_base, linux_base-7 Affected: versions < linux_base-6.1_1 (linux_base port) versions < linux_base-7.1_2 (linux_base-7 port) versions < linux_mozilla-0.9.9_1 all versions of all acroread ports all versions of linux-netscape6 Status: Fixed: linux_base, linux_base-7, linux-mozilla. Not fixed: acroread, acroread-chsfont, acroread-chtfont, acroread-commfont, acroread4, linux-netscape6. These Linux binaries utilize versions of zlib which may contain an exploitable double-free bug. +------------------------------------------------------------------------+ Port name: apache13-ssl, apache13-modssl Affected: all versions of apache+ssl all versions of apache+mod_ssl Status: Not yet fixed. Buffer overflows in SSL session cache handling. +------------------------------------------------------------------------+ Port name: bulk_mailer Affected: all versions Status: Not yet fixed. Buffer overflows, temporary file race. +------------------------------------------------------------------------+ Port name: cups, cups-base, cups-lpr Affected: versions < cups-1.1.14 versions < cups-base-1.1.14 versions < cups-lpr-1.1.14 Status: Fixed. Buffer overflows in IPP code. +------------------------------------------------------------------------+ Port name: fileutils Affected: all versions Status: Not yet fixed. Race condition in directory removal. +------------------------------------------------------------------------+ Port name: imlib Affected: versions < imlib-1.9.13 Status: Fixed. Heap corruption in image handling. +------------------------------------------------------------------------+ Port name: listar, ecartis Affected: versions < ecartis-1.0.0b all versions of listar Status: Fixed: ecartis. Not fixed: listar. Local and remote buffer overflows, incorrect privilege handling. +------------------------------------------------------------------------+ Port name: mod_php3, mod_php4 Affected: versions < mod_php3-3.0.18_3 versions < mod_php4-4.1.2 Status: Fixed. Vulnerabilities in file upload handling. +------------------------------------------------------------------------+ Port name: ntop Affected: all versions Status: Not yet fixed. Remote format string vulnerability. +------------------------------------------------------------------------+ Port name: rsync Affected: versions < rsync-2.5.4 Status: Fixed. Incorrect group privilege handling, zlib double-free bug. +------------------------------------------------------------------------+ Port name: xchat, xchat-devel Affected: all versions Status: Not yet fixed. Malicious server may cause xchat to execute arbitrary commands. +------------------------------------------------------------------------+ III. Upgrading Ports/Packages Do one of the following: 1) Upgrade your Ports Collection and rebuild and reinstall the port. Several tools are available in the Ports Collection to make this easier. See: /usr/ports/devel/portcheckout /usr/ports/misc/porteasy /usr/ports/sysutils/portupgrade 2) Deinstall the old package and install a new package obtained from [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ Packages are not automatically generated for other architectures at this time. +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPK28lVUuHi5z0oilAQGUuQP/aBo4NQLKF4qiFxvy6+Z0FyMGChECbZYr 3TR2OLdPks0xuoIgbpPAstrTeFbCRe7m59zCibdbRCpUd167QAUEF72nICmcQmYa +ZEFGUHcMxNg09LUd7MxDg1LbczBX7L1SFKFaZOCGuzPa6SrsbvPFbXO7hUu+nSI nH5M1Y1F9rk= =hHhx -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message