diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-01:23.icecast.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-01:23.icecast.asc | 101 |
1 files changed, 0 insertions, 101 deletions
diff --git a/share/security/advisories/FreeBSD-SA-01:23.icecast.asc b/share/security/advisories/FreeBSD-SA-01:23.icecast.asc deleted file mode 100644 index 01177d1b31..0000000000 --- a/share/security/advisories/FreeBSD-SA-01:23.icecast.asc +++ /dev/null @@ -1,101 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- - -============================================================================= -FreeBSD-SA-01:23 Security Advisory - FreeBSD, Inc. - -Topic: icecast port contains remote vulnerability - -Category: ports -Module: icecast -Announced: 2001-03-12 -Credits: |CyRaX| <cyrax@pkcrew.org> -Affects: Ports collection prior to the correction date. -Corrected: 2001-03-10 -Vendor status: Unresponsive -FreeBSD only: NO - -I. Background - -icecast is a server for streaming MP3 audio. - -II. Problem Description - -The icecast software, versions prior to 1.3.7_1, contains multiple -format string vulnerabilities, which allow a remote attacker to -execute arbitrary code as the user running icecast, usually the root -user. - -There are a number of other potential abuses of format strings which -may or may not pose security risks, but have not currently been -audited. - -The icecast port is not installed by default, nor is it "part of -FreeBSD" as such: it is part of the FreeBSD ports collection, which -contains nearly 4700 third-party applications in a ready-to-install -format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 -contain this problem since it was discovered after the releases. - -FreeBSD makes no claim about the security of these third-party -applications, although an effort is underway to provide a security -audit of the most security-critical ports. - -III. Impact - -Arbitrary remote users can execute arbitrary code on the local system -as the user running icecast, usually the root user. - -If you have not chosen to install the icecast port/package, then your -system is not vulnerable to this problem. - -IV. Workaround - -Deinstall the icecast port/package, if you have installed it. - -V. Solution - -Consider running the icecast software as a non-privileged user to -minimize the impact of further security vulnerabilities in this -software. - -To upgrade icecast, choose one of the following options: - -1) Upgrade your entire ports collection and rebuild the icecast port. - -2) Deinstall the old package and install a new package dated after the -correction date, obtained from: - -[i386] -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/icecast-1.3.7_1.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/icecast-1.3.7_1.tgz - -NOTE: It may be several days before updated packages are available - -[alpha] -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/icecast-1.3.7_1.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/icecast-1.3.7_1.tgz - -3) download a new port skeleton for the icecast port from: - -http://www.freebsd.org/ports/ - -and use it to rebuild the port. - -4) Use the portcheckout utility to automate option (3) above. The -portcheckout port is available in /usr/ports/devel/portcheckout or the -package can be obtained from: - -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz -ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.0.4 (FreeBSD) -Comment: For info see http://www.gnupg.org - -iQCVAwUBOq1b9lUuHi5z0oilAQF0VQQAgjsvLSPtZ1pu6OtkGxuMJhCmmeCvFJvL -4szsF1csrFrXhaH7z1VjJP8r/Q2NBzWcS3qujkhGRObsGGyvAJKk7QVrqnjXV3gD -rgLnphjNlKt0VuXafxXwTT8YTxoCbzOHy23aa0KaRWoCAVcVi4AAZs4XHEUgU+Ov -lWOyEgxUBEk= -=WM3Y ------END PGP SIGNATURE----- |