From owner-freebsd-security Thu Feb 1 12:18:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (mcut-b-167.resnet.purdue.edu [128.211.209.167]) by hub.freebsd.org (Postfix) with ESMTP id 05B8337B6CC for ; Thu, 1 Feb 2001 12:18:28 -0800 (PST) Received: by puck.firepipe.net (Postfix, from userid 1000) id CE6D81AB2; Thu, 1 Feb 2001 15:18:26 -0500 (EST) Date: Thu, 1 Feb 2001 15:18:26 -0500 From: Will Andrews To: Paul Andrews Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 Message-ID: <20010201151826.C479@puck.firepipe.net> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , Paul Andrews , security@FreeBSD.ORG References: <200101300909.f0U99qv87528@freefall.freebsd.org> <005301c08c89$33722260$b13e6c18@videon.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="QnGs129iAKyuXRcc" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005301c08c89$33722260$b13e6c18@videon.ca>; from andrews@powersurfr.com on Thu, Feb 01, 2001 at 12:57:26PM -0700 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --QnGs129iAKyuXRcc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 01, 2001 at 12:57:26PM -0700, Paul Andrews wrote: > Does this issue affect only those that installed the XFree86 3.3.6 port or > does it also affect those who have installed FreeBSD 4.2 RELEASE. FreeBSD !=3D XFree86. The advisory specifies what is vulnerable. > If it does affect the RELEASE version what is the easiest why to fix this > problem, without upgrading to XFree86 4.01. If you have no users, just firewall off your X sockets (or tell X to turn them off). If you have users, just make sure they can't run anything setuid linked to libX11. 8) For other fixes, see below (as specified in the advisory): > > 1) Upgrade your entire ports collection and rebuild the XFree86-3.3.6 > > port. > > > > 2) Deinstall the old package and install an XFree86-4.0.2 package > > obtained from: > > > > [i386] > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree8= 6-4 > .0.2_5.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree8= 6-4 > .0.2_5.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree= 86- > 4.0.2_5.tgz > > > > [alpha] > > Packages are not automatically generated for the alpha architecture at > > this time due to lack of build resources. > > > > NOTE: XFree86-3.3.6 packages are no longer made available, only the > > newer XFree86-4.0.2 packages. > > > > Note also that the XFree86-aoutlibs port has not yet been fixed: there > > is currently no solution to the problem other than removing the > > port/package and recompiling any dependent software to use ELF > > libraries, or switching to an ELF-based version of the software, if > > available (e.g. the BSD/OS or Linux versions of Netscape, as an > > alternative to the FreeBSD native version). The potential impact of > > the vulnerabilities to the local environment may be deemed not > > sufficiently great to warrant this approach, however. > > > > 3) download a new port skeleton for the XFree86-3.3.6 port from: > > > > http://www.freebsd.org/ports/ > > > > and use it to rebuild the port. > > > > 4) Use the portcheckout utility to automate option (3) above. The > > portcheckout port is available in /usr/ports/devel/portcheckout or the > > package can be obtained from: > > > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/port= che > ckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/port= che > ckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/por= tch > eckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/por= tch > eckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/po= rtc > heckout-2.0.tgz --=20 wca --QnGs129iAKyuXRcc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ecSSF47idPgWcsURAsq0AJ0XSfkjTM9YLQ8Pk67FvIfbKfpPPACfcZSA aUpv0caroS9je49tfkCTdhA= =JO6J -----END PGP SIGNATURE----- --QnGs129iAKyuXRcc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message