aboutsummaryrefslogtreecommitdiff
path: root/share/security/advisories/FreeBSD-SA-00:47.pine.asc
diff options
context:
space:
mode:
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-00:47.pine.asc')
-rw-r--r--share/security/advisories/FreeBSD-SA-00:47.pine.asc107
1 files changed, 107 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-00:47.pine.asc b/share/security/advisories/FreeBSD-SA-00:47.pine.asc
new file mode 100644
index 0000000000..95b59f3ed9
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-00:47.pine.asc
@@ -0,0 +1,107 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+=============================================================================
+FreeBSD-SA-00:47 Security Advisory
+ FreeBSD, Inc.
+
+Topic: pine4 port allows denial of service
+
+Category: ports
+Module: pine4
+Announced: 2000-09-13
+Affects: Ports collection.
+Corrected: 2000-07-17
+Credits: Juhapekka Tolvanen <juhtolv@ST.JYU.FI>
+Vendor status: Contacted
+FreeBSD only: NO
+
+I. Background
+
+Pine is a popular mail user agent.
+
+II. Problem Description
+
+The pine4 port, versions 4.21 and before, contained a bug which would
+cause the program to crash when processing a folder which contains an
+email message with a malformed X-Keywords header. The message itself
+could be deleted within pine if identified, but other operations such
+as closing the folder with the message still present would cause the
+program to crash with no apparent cause, discarding changes to the
+mailbox.
+
+The FreeBSD port of pine4 was changed on 2000-07-17 to use an updated
+version of the c-client library which is used to handle the mailbox
+processing. This library does not contain the bug and versions of
+pine4 built with it (i.e. ports or packages dated after the correction
+date) do not suffer from this vulnerability.
+
+The pine4 port is not installed by default, nor is it "part of
+FreeBSD" as such: it is part of the FreeBSD ports collection, which
+contains over 3800 third-party applications in a ready-to-install
+format. The ports collections shipped with FreeBSD 4.1 and 3.5.1
+contain this problem since it was discovered after the releases.
+
+FreeBSD makes no claim about the security of these third-party
+applications, although an effort is underway to provide a security
+audit of the most security-critical ports.
+
+III. Impact
+
+Remote users can cause pine4 to crash when closing a mail folder by
+sending a malformed email.
+
+If you have not chosen to install the pine4 port/package, then
+your system is not vulnerable to this problem.
+
+IV. Workaround
+
+Deinstall the pine4 port/package, if you have installed it.
+
+It may be possible to use a mail filtering utility such as procmail
+(available in FreeBSD ports as /usr/ports/mail/procmail) to filter out
+the malformed X-Keywords header from incoming mail, but this solution
+is not discussed here.
+
+V. Solution
+
+One of the following:
+
+1) Upgrade your entire ports collection and rebuild the pine4 port.
+
+2) Deinstall the old package and install a new package dated after the
+correction date, obtained from:
+
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/pine-4.21.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.21.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/pine-4.21.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.21.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/pine-4.21.tgz
+
+NOTE: Be sure to check the file creation date on the package, because
+the version number of the software has not changed.
+
+3) download a new port skeleton for the listmanager port from:
+
+http://www.freebsd.org/ports/
+
+and use it to rebuild the port.
+
+4) Use the portcheckout utility to automate option (3) above. The
+portcheckout port is available in /usr/ports/devel/portcheckout or the
+package can be obtained from:
+
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6.2
+
+iQCVAwUBOb/kgFUuHi5z0oilAQEwgAQAnYgLOfvgfM88DLjUXgoZBkVRoroeU8rz
+2DXUw4LEQ6ARzruWPepALW2Yls+g5SraDCLHmuTo6tb3vR6kwQ97gQmzNCNDxK9T
+/5m4EFYo2ErTOB4nO/MqepJ+/0t4oBPByhaRjQBSqQncaN4FIkWgboqfpbYdL6HC
+cnQSlc+0FPs=
+=R2n+
+-----END PGP SIGNATURE-----
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-24 17:49:46 +0000