Import FreeBSD Security Advisories and Errata Notices, as well as their

patches for easier mirroring, to eliminate a special copy, to make
www.freebsd.org/security a full copy of security.freebsd.org and be
eventually be the same.

For now files are just sitting there.   The symlinks are missing.

Discussed on:	www (repository location)
Discussed with:	simon (so)

1 files changed, 166 insertions, 0 deletions

diff --git a/share/security/advisories/FreeBSD-SN-02:04.asc b/share/security/advisories/FreeBSD-SN-02:04.asc
new file mode 100644
index 0000000000..ee0212fc3f
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SN-02:04.asc
@@ -0,0 +1,166 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+=============================================================================
+FreeBSD-SN-02:04                                              Security Notice
+                                                          The FreeBSD Project
+
+Topic:          security issues in ports
+Announced:      2002-06-19
+
+I.   Introduction
+
+Several ports in the FreeBSD Ports Collection are affected by security
+issues.  These are listed below with references and affected versions.
+All versions given refer to the FreeBSD port/package version numbers.
+The listed vulnerabilities are not specific to FreeBSD unless
+otherwise noted.
+
+These ports are not installed by default, nor are they ``part of
+FreeBSD'' as such.  The FreeBSD Ports Collection contains thousands of
+third-party applications in a ready-to-install format.  FreeBSD makes
+no claim about the security of these third-party applications.  See
+<URL:http://www.freebsd.org/ports/> for more information about the
+FreeBSD Ports Collection.
+
+II.  Ports
+
++------------------------------------------------------------------------+
+Port name:      apache13, apache13-modssl, apache13-ssl,
+                apache13+ipv6, apache13-fp, apache2
+Affected:       versions < apache-2.0.39 (apache2)
+                versions < apache-1.3.26 (apache13)
+		versions < apache+mod_ssl-1.3.26+2.8.9 (apache13-modssl)
+                All versions (others)
+Status:         Fixed (apache2, apache13, apache13-modssl)
+                Not fixed (others)
+Denial-of-service involving chunked encoding.
+<URL:http://httpd.apache.org/info/security_bulletin_20020617.txt>
+<URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502>
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392>
++------------------------------------------------------------------------+
+Port name:      bind9
+Affected:       versions < bind9-9.2.1
+Status:         Fixed
+Denial-of-service vulnerability in named.
+<URL:http://www.cert.org/advisories/CA-2002-15.html>
++------------------------------------------------------------------------+
+Port name:      courier-imap
+Affected:       versions < courier-imap-1.4.3_1
+Status:         Fixed
+Remote denial-of-service attack (CPU utilization).
+<URL:http://www.security.nnov.ru/advisories/courier.asp>
++------------------------------------------------------------------------+
+Port name:      ethereal
+Affected:       versions < ethereal-0.9.4
+Status:         Fixed
+Buffer overflows in SMB, X11, DNS, and GIOP dissectors.
+<URL:http://www.ethereal.com/appnotes/enpa-sa-00004.html>
++------------------------------------------------------------------------+
+Port name:      fakebo
+Affected:       versions < fakebo-0.4.1_1
+Status:         Fixed
+Format string vulnerability.
+<URL:http://cvsweb.freebsd.org/ports/security/fakebo/files/patch-aa>
+<URL:http://cvsweb.freebsd.org/ports/security/fakebo/files/patch-ab>
++------------------------------------------------------------------------+
+Port name:      fragroute
+Affected:       versions < fragroute-1.2_1
+Status:         Fixed
+The distribution file with MD5 checksum 65edbfc51f8070517f14ceeb8f721075
+was trojaned.
+<URL:http://online.securityfocus.com/archive/1/274892>
++------------------------------------------------------------------------+
+Port name:      ghostscript-gnu
+Affected:       versions < ghostscript-6.53
+Status:         Fixed
+A PostScript file can cause arbitrary commands to be executed as
+the user running ghostscript.
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0363>
++------------------------------------------------------------------------+
+Port name:      icmpmonitor
+Affected:       versions < icmpmonitor-1.11_1
+Status:         Fixed
+Format string vulnerability (syslog).
+<URL:http://cvsweb.freebsd.org/ports/net/icmpmonitor/files/patch-aa>
++------------------------------------------------------------------------+
+Port name:      imap-uw
+Affected:       All versions
+Status:         Not fixed
+Locally exploitable stack buffer overflow when compiled with
+WITH_RFC1730 (which is not the default).
+<URL:http://online.securityfocus.com/archive/1/271958>
+<URL:http://online.securityfocus.com/archive/1/272030>
++------------------------------------------------------------------------+
+Port name:      mnews
+Affected:       All versions
+Status:         Not fixed
+Remotely exploitable buffer overflows.
+<URL:http://online.securityfocus.com/archive/1/275012>
+<URL:http://online.securityfocus.com/archive/1/275125>
++------------------------------------------------------------------------+
+Port name:      nn
+Affected:       versions < nn-6.6.2_1
+Status:         Fixed
+Remotely exploitable format string vulnerability.
+Reproduce using netcat:
+  perl -e 'printf("100 %s\n", "%x" x 800);' | nc -l -p 119
+  env NNTPSERVER="localhost" nn
++------------------------------------------------------------------------+
+Port name:      sharity-light
+Affected:       versions < sharity-light-1.2_1
+Status:         Fixed
+Stack buffer overflow when copying the username and password from the
+environment (variables USER, LOGNAME, and PASSWD).  Reported by
+Niels Heinen <niels.heinen@ubizen.com>.
++------------------------------------------------------------------------+
+Port name:      slurp
+Affected:       versions < slurp-1.10_1
+Status:         Fixed
+Remotely exploitable format string vulnerability.
+<URL:http://online.securityfocus.com/archive/1/275397>
++------------------------------------------------------------------------+
+Port name:      xchat
+Affected:       versions < xchat-1.8.9
+Status:         Fixed
+An IRC server may execute arbitrary commands with the privileges
+of the user running xchat.
+<URL:http://online.securityfocus.com/bid/4376>
++------------------------------------------------------------------------+
+
+III. Upgrading Ports/Packages
+
+To upgrade a fixed port/package, perform one of the following:
+
+1) Upgrade your Ports Collection and rebuild and reinstall the port.
+Several tools are available in the Ports Collection to make this
+easier.  See:
+  /usr/ports/devel/portcheckout
+  /usr/ports/misc/porteasy
+  /usr/ports/sysutils/portupgrade
+
+2) Deinstall the old package and install a new package obtained from
+
+[i386]
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/
+
+Packages are not automatically generated for other architectures at
+this time.
+
+
++------------------------------------------------------------------------+
+FreeBSD Security Notices are communications from the Security Officer
+intended to inform the user community about potential security issues,
+such as bugs in the third-party applications found in the Ports
+Collection, which will not be addressed in a FreeBSD Security
+Advisory.
+
+Feedback on Security Notices is welcome at <security-officer@FreeBSD.org>.
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.7 (FreeBSD)
+
+iQCVAwUBPRD6MlUuHi5z0oilAQFmSwP9Hs95CGjDL8PF95Z9bAxana0X9JTUYvaN
+qxPWiovTzED5Ityt46TySpoOcwdQkzO0ugu3/Q7zCppEDdIjXBUxARv8qvnLG7Oz
+f5SPItOW//5P7hmq6c9XGQrfq4XLYnv61JbgK9Cm0tGU8iVhOwm+ztpZS2FG5x+3
+F4W/AphEyi8=
+=W9sm
+-----END PGP SIGNATURE-----