Date: Mon, 29 Apr 2002 15:18:24 -0400 (EDT) From: Igor Roshchin <str@giganda.komkon.org> To: anarcat@anarcat.dyndns.org, str@giganda.komkon.org Cc: security-officer@freebsd.org, security@freebsd.org Subject: Re: Webalizer - is FreeBSD port vulnerable ? Message-ID: <200204291918.g3TJIOF26248@giganda.komkon.org> In-Reply-To: <20020429175901.GC321@lenny.anarcat.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I see that the cvs-tree for the webalizer port contains a record about the overflow fix (Apr 18-19), together with the version upgrade right after that. However, I couldn't find FreeBSD security advisory on this topic. Hopefully it's being worked on. Igor PS. Thanks to `pr0ject' for his response, probably helpful, but answering a completely different question. `prOject' wrote: > > it's only exploitable if you let the world see your stats. > > IMHO, info like this should always be htaccessed. > [Besides, I am not sure how not showing the stat results would prevent you from being hit by a malicious DNS owner. I haven't seen the internals of the overflow, but since it's in the webalizer itself, it doesn't seem to be related to whether the stats are displayed or not. The overflow should be happening when the webalizer is ran. The only scenario I see is that it doesn't reveal that you run webalizer. That would be just "security by obscurity".. A malicious person can "inseminate" all big servers anyway, and then just sit and wait until the bell rings.] > From anarcat@anarcat.dyndns.org Mon Apr 29 14:00:12 2002 > Date: Mon, 29 Apr 2002 13:59:01 -0400 > From: The Anarcat <anarcat@anarcat.dyndns.org> > To: Igor Roshchin <str@giganda.komkon.org> > Cc: security@freebsd.org > Subject: Re: Webalizer - is FreeBSD port vulnerable ? > > > --Sr1nOIr3CvdE5hEN > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > IIRC, the port was fixed not long ago. Please see the security > advisory. > > A. > > On Mon Apr 29, 2002 at 12:18:55PM -0400, Igor Roshchin wrote: > >=20 > > Hello! > >=20 > > Webalizer is found to have a buffer overflow that is reportedly > > remotely exploitable. > > http://online.securityfocus.com/archive/1/267551 > > http://online.securityfocus.com/bid/4504 > > http://www.mrunix.net/webalizer/news.html > >=20 > >=20 > > The second link above contains a list of vulnerable versions / OSes. > > The only BSD-ish system mentioned is MacOS-X. > > Is any of the versions of FreeBSD port vulnerable ? > >=20 > > Best, > >=20 > > Igor > >=20 > >=20 > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > --=20 > Imagination is more important than knowledge > - Albert Einstein > > --Sr1nOIr3CvdE5hEN > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjzNieQACgkQttcWHAnWiGfeMACdFOY5LxXckTpBX5zGgQeZaHup > FxgAn3JYIWxQdfHpe2NFZOueHJSTS+X6 > =Xhgw > -----END PGP SIGNATURE----- > > --Sr1nOIr3CvdE5hEN-- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204291918.g3TJIOF26248>