diff options
| author | Bjoern A. Zeeb <bz@FreeBSD.org> | 2012-08-15 06:19:40 +0000 |
|---|---|---|
| committer | Bjoern A. Zeeb <bz@FreeBSD.org> | 2012-08-15 06:19:40 +0000 |
| commit | 3571e5304050aba8c8eab50a86c6c0a073e4710b (patch) | |
| tree | de84b0c3c5ffde32e607bf0686e9f27bb7a78ef0 /share/security/advisories/FreeBSD-SA-01:23.icecast.asc | |
| parent | 01c8718f26f092070b0b20b4902a2a313033ed79 (diff) | |
| download | doc-3571e5304050aba8c8eab50a86c6c0a073e4710b.tar.gz doc-3571e5304050aba8c8eab50a86c6c0a073e4710b.zip | |
Import FreeBSD Security Advisories and Errata Notices, as well as their
patches for easier mirroring, to eliminate a special copy, to make
www.freebsd.org/security a full copy of security.freebsd.org and be
eventually be the same.
For now files are just sitting there. The symlinks are missing.
Discussed on: www (repository location)
Discussed with: simon (so)
Notes
Notes:
svn path=/head/; revision=39381
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-01:23.icecast.asc')
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-01:23.icecast.asc | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-01:23.icecast.asc b/share/security/advisories/FreeBSD-SA-01:23.icecast.asc new file mode 100644 index 0000000000..01177d1b31 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-01:23.icecast.asc @@ -0,0 +1,101 @@ +-----BEGIN PGP SIGNED MESSAGE----- + +============================================================================= +FreeBSD-SA-01:23 Security Advisory + FreeBSD, Inc. + +Topic: icecast port contains remote vulnerability + +Category: ports +Module: icecast +Announced: 2001-03-12 +Credits: |CyRaX| <cyrax@pkcrew.org> +Affects: Ports collection prior to the correction date. +Corrected: 2001-03-10 +Vendor status: Unresponsive +FreeBSD only: NO + +I. Background + +icecast is a server for streaming MP3 audio. + +II. Problem Description + +The icecast software, versions prior to 1.3.7_1, contains multiple +format string vulnerabilities, which allow a remote attacker to +execute arbitrary code as the user running icecast, usually the root +user. + +There are a number of other potential abuses of format strings which +may or may not pose security risks, but have not currently been +audited. + +The icecast port is not installed by default, nor is it "part of +FreeBSD" as such: it is part of the FreeBSD ports collection, which +contains nearly 4700 third-party applications in a ready-to-install +format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 +contain this problem since it was discovered after the releases. + +FreeBSD makes no claim about the security of these third-party +applications, although an effort is underway to provide a security +audit of the most security-critical ports. + +III. Impact + +Arbitrary remote users can execute arbitrary code on the local system +as the user running icecast, usually the root user. + +If you have not chosen to install the icecast port/package, then your +system is not vulnerable to this problem. + +IV. Workaround + +Deinstall the icecast port/package, if you have installed it. + +V. Solution + +Consider running the icecast software as a non-privileged user to +minimize the impact of further security vulnerabilities in this +software. + +To upgrade icecast, choose one of the following options: + +1) Upgrade your entire ports collection and rebuild the icecast port. + +2) Deinstall the old package and install a new package dated after the +correction date, obtained from: + +[i386] +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/icecast-1.3.7_1.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/icecast-1.3.7_1.tgz + +NOTE: It may be several days before updated packages are available + +[alpha] +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/icecast-1.3.7_1.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/icecast-1.3.7_1.tgz + +3) download a new port skeleton for the icecast port from: + +http://www.freebsd.org/ports/ + +and use it to rebuild the port. + +4) Use the portcheckout utility to automate option (3) above. The +portcheckout port is available in /usr/ports/devel/portcheckout or the +package can be obtained from: + +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.0.4 (FreeBSD) +Comment: For info see http://www.gnupg.org + +iQCVAwUBOq1b9lUuHi5z0oilAQF0VQQAgjsvLSPtZ1pu6OtkGxuMJhCmmeCvFJvL +4szsF1csrFrXhaH7z1VjJP8r/Q2NBzWcS3qujkhGRObsGGyvAJKk7QVrqnjXV3gD +rgLnphjNlKt0VuXafxXwTT8YTxoCbzOHy23aa0KaRWoCAVcVi4AAZs4XHEUgU+Ov +lWOyEgxUBEk= +=WM3Y +-----END PGP SIGNATURE----- |