diff options
author | Bjoern A. Zeeb <bz@FreeBSD.org> | 2012-08-15 06:19:40 +0000 |
---|---|---|
committer | Bjoern A. Zeeb <bz@FreeBSD.org> | 2012-08-15 06:19:40 +0000 |
commit | 3571e5304050aba8c8eab50a86c6c0a073e4710b (patch) | |
tree | de84b0c3c5ffde32e607bf0686e9f27bb7a78ef0 /share/security/advisories/FreeBSD-SN-02:04.asc | |
parent | 01c8718f26f092070b0b20b4902a2a313033ed79 (diff) | |
download | doc-3571e5304050aba8c8eab50a86c6c0a073e4710b.tar.gz doc-3571e5304050aba8c8eab50a86c6c0a073e4710b.zip |
Import FreeBSD Security Advisories and Errata Notices, as well as their
patches for easier mirroring, to eliminate a special copy, to make
www.freebsd.org/security a full copy of security.freebsd.org and be
eventually be the same.
For now files are just sitting there. The symlinks are missing.
Discussed on: www (repository location)
Discussed with: simon (so)
Notes
Notes:
svn path=/head/; revision=39381
Diffstat (limited to 'share/security/advisories/FreeBSD-SN-02:04.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SN-02:04.asc | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SN-02:04.asc b/share/security/advisories/FreeBSD-SN-02:04.asc new file mode 100644 index 0000000000..ee0212fc3f --- /dev/null +++ b/share/security/advisories/FreeBSD-SN-02:04.asc @@ -0,0 +1,166 @@ +-----BEGIN PGP SIGNED MESSAGE----- + +============================================================================= +FreeBSD-SN-02:04 Security Notice + The FreeBSD Project + +Topic: security issues in ports +Announced: 2002-06-19 + +I. Introduction + +Several ports in the FreeBSD Ports Collection are affected by security +issues. These are listed below with references and affected versions. +All versions given refer to the FreeBSD port/package version numbers. +The listed vulnerabilities are not specific to FreeBSD unless +otherwise noted. + +These ports are not installed by default, nor are they ``part of +FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of +third-party applications in a ready-to-install format. FreeBSD makes +no claim about the security of these third-party applications. See +<URL:http://www.freebsd.org/ports/> for more information about the +FreeBSD Ports Collection. + +II. Ports + ++------------------------------------------------------------------------+ +Port name: apache13, apache13-modssl, apache13-ssl, + apache13+ipv6, apache13-fp, apache2 +Affected: versions < apache-2.0.39 (apache2) + versions < apache-1.3.26 (apache13) + versions < apache+mod_ssl-1.3.26+2.8.9 (apache13-modssl) + All versions (others) +Status: Fixed (apache2, apache13, apache13-modssl) + Not fixed (others) +Denial-of-service involving chunked encoding. +<URL:http://httpd.apache.org/info/security_bulletin_20020617.txt> +<URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502> +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392> ++------------------------------------------------------------------------+ +Port name: bind9 +Affected: versions < bind9-9.2.1 +Status: Fixed +Denial-of-service vulnerability in named. +<URL:http://www.cert.org/advisories/CA-2002-15.html> ++------------------------------------------------------------------------+ +Port name: courier-imap +Affected: versions < courier-imap-1.4.3_1 +Status: Fixed +Remote denial-of-service attack (CPU utilization). +<URL:http://www.security.nnov.ru/advisories/courier.asp> ++------------------------------------------------------------------------+ +Port name: ethereal +Affected: versions < ethereal-0.9.4 +Status: Fixed +Buffer overflows in SMB, X11, DNS, and GIOP dissectors. +<URL:http://www.ethereal.com/appnotes/enpa-sa-00004.html> ++------------------------------------------------------------------------+ +Port name: fakebo +Affected: versions < fakebo-0.4.1_1 +Status: Fixed +Format string vulnerability. +<URL:http://cvsweb.freebsd.org/ports/security/fakebo/files/patch-aa> +<URL:http://cvsweb.freebsd.org/ports/security/fakebo/files/patch-ab> ++------------------------------------------------------------------------+ +Port name: fragroute +Affected: versions < fragroute-1.2_1 +Status: Fixed +The distribution file with MD5 checksum 65edbfc51f8070517f14ceeb8f721075 +was trojaned. +<URL:http://online.securityfocus.com/archive/1/274892> ++------------------------------------------------------------------------+ +Port name: ghostscript-gnu +Affected: versions < ghostscript-6.53 +Status: Fixed +A PostScript file can cause arbitrary commands to be executed as +the user running ghostscript. +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0363> ++------------------------------------------------------------------------+ +Port name: icmpmonitor +Affected: versions < icmpmonitor-1.11_1 +Status: Fixed +Format string vulnerability (syslog). +<URL:http://cvsweb.freebsd.org/ports/net/icmpmonitor/files/patch-aa> ++------------------------------------------------------------------------+ +Port name: imap-uw +Affected: All versions +Status: Not fixed +Locally exploitable stack buffer overflow when compiled with +WITH_RFC1730 (which is not the default). +<URL:http://online.securityfocus.com/archive/1/271958> +<URL:http://online.securityfocus.com/archive/1/272030> ++------------------------------------------------------------------------+ +Port name: mnews +Affected: All versions +Status: Not fixed +Remotely exploitable buffer overflows. +<URL:http://online.securityfocus.com/archive/1/275012> +<URL:http://online.securityfocus.com/archive/1/275125> ++------------------------------------------------------------------------+ +Port name: nn +Affected: versions < nn-6.6.2_1 +Status: Fixed +Remotely exploitable format string vulnerability. +Reproduce using netcat: + perl -e 'printf("100 %s\n", "%x" x 800);' | nc -l -p 119 + env NNTPSERVER="localhost" nn ++------------------------------------------------------------------------+ +Port name: sharity-light +Affected: versions < sharity-light-1.2_1 +Status: Fixed +Stack buffer overflow when copying the username and password from the +environment (variables USER, LOGNAME, and PASSWD). Reported by +Niels Heinen <niels.heinen@ubizen.com>. ++------------------------------------------------------------------------+ +Port name: slurp +Affected: versions < slurp-1.10_1 +Status: Fixed +Remotely exploitable format string vulnerability. +<URL:http://online.securityfocus.com/archive/1/275397> ++------------------------------------------------------------------------+ +Port name: xchat +Affected: versions < xchat-1.8.9 +Status: Fixed +An IRC server may execute arbitrary commands with the privileges +of the user running xchat. +<URL:http://online.securityfocus.com/bid/4376> ++------------------------------------------------------------------------+ + +III. Upgrading Ports/Packages + +To upgrade a fixed port/package, perform one of the following: + +1) Upgrade your Ports Collection and rebuild and reinstall the port. +Several tools are available in the Ports Collection to make this +easier. See: + /usr/ports/devel/portcheckout + /usr/ports/misc/porteasy + /usr/ports/sysutils/portupgrade + +2) Deinstall the old package and install a new package obtained from + +[i386] +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ + +Packages are not automatically generated for other architectures at +this time. + + ++------------------------------------------------------------------------+ +FreeBSD Security Notices are communications from the Security Officer +intended to inform the user community about potential security issues, +such as bugs in the third-party applications found in the Ports +Collection, which will not be addressed in a FreeBSD Security +Advisory. + +Feedback on Security Notices is welcome at <security-officer@FreeBSD.org>. +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.0.7 (FreeBSD) + +iQCVAwUBPRD6MlUuHi5z0oilAQFmSwP9Hs95CGjDL8PF95Z9bAxana0X9JTUYvaN +qxPWiovTzED5Ityt46TySpoOcwdQkzO0ugu3/Q7zCppEDdIjXBUxARv8qvnLG7Oz +f5SPItOW//5P7hmq6c9XGQrfq4XLYnv61JbgK9Cm0tGU8iVhOwm+ztpZS2FG5x+3 +F4W/AphEyi8= +=W9sm +-----END PGP SIGNATURE----- |