website/static/security/advisories/FreeBSD-SN-02:01.asc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SN-02:01                                              Security Notice
                                                                FreeBSD, Inc.

Topic:          security issues in ports
Announced:      2002-03-30

I.   Introduction

Several ports in the FreeBSD Ports Collection are affected by security
issues.  These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.

These ports are not installed by default, nor are they ``part of
FreeBSD'' as such.  The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format.  FreeBSD makes
no claim about the security of these third-party applications.  See
<URL:http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.

II.  Ports

+------------------------------------------------------------------------+
Port name:      acroread, acroread-chsfont, acroread-chtfont,
                  acroread-commfont, acroread4, linux-mozilla,
                  linux-netscape6, linux_base, linux_base-7
Affected:       versions < linux_base-6.1_1 (linux_base port)
                versions < linux_base-7.1_2 (linux_base-7 port)
                versions < linux_mozilla-0.9.9_1
                all versions of all acroread ports
                all versions of linux-netscape6
Status:         Fixed: linux_base, linux_base-7, linux-mozilla.
                Not fixed: acroread, acroread-chsfont, acroread-chtfont,
                  acroread-commfont, acroread4, linux-netscape6.
These Linux binaries utilize versions of zlib which may contain an
exploitable double-free bug.
<URL:http://www.redhat.com/support/errata/RHSA-2002-026.html>
<URL:http://www.mozilla.org/releases/mozilla0.9.9/>
<URL:http://www.redhat.com/support/errata/RHSA-2002-027.html>
<URL:http://www.gzip.org/zlib/advisory-2002-03-11.txt>
<URL:http://online.securityfocus.com/archive/1/261205>
<URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:18.zlib.asc>
+------------------------------------------------------------------------+
Port name:      apache13-ssl, apache13-modssl
Affected:       all versions of apache+ssl
                versions < apache+mod_ssl-1.3.24+2.8.8
Status:         Fixed: apache13-modssl.
		Not fixed: apache13-ssl.
Buffer overflows in SSL session cache handling.
<URL:http://www.apache-ssl.org/advisory-20020301.txt>
<URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html>
+------------------------------------------------------------------------+
Port name:      bulk_mailer
Affected:       all versions
Status:         Not yet fixed.
Buffer overflows, temporary file race.
<URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=112007>
+------------------------------------------------------------------------+
Port name:      cups, cups-base, cups-lpr
Affected:       versions < cups-1.1.14
                versions < cups-base-1.1.14
                versions < cups-lpr-1.1.14
Status:         Fixed.
Buffer overflows in IPP code.
<URL:http://www.cups.org/news.php?V66>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0063>
+------------------------------------------------------------------------+
Port name:      fileutils
Affected:       all versions
Status:         Not yet fixed.
Race condition in directory removal.
<URL:http://online.securityfocus.com/bind/4266>
+------------------------------------------------------------------------+
Port name:      imlib
Affected:       versions < imlib-1.9.13
Status:         Fixed.
Heap corruption in image handling.
<URL:http://online.securityfocus.com/bid/4336>
+------------------------------------------------------------------------+
Port name:      listar, ecartis
Affected:       versions < ecartis-1.0.0b
                all versions of listar
Status:         Fixed: ecartis.
                Not fixed: listar.
Local and remote buffer overflows, incorrect privilege handling.
<URL:http://online.securityfocus.com/bid/4176>
<URL:http://online.securityfocus.com/bid/4277>
<URL:http://online.securityfocus.com/bid/4271>
+------------------------------------------------------------------------+
Port name:      mod_php3, mod_php4
Affected:       versions < mod_php3-3.0.18_3
                versions < mod_php4-4.1.2
Status:         Fixed.
Vulnerabilities in file upload handling.
<URL:http://security.e-matters.de/advisories/012002.html>
+------------------------------------------------------------------------+
Port name:      ntop
Affected:       all versions
Status:         Not yet fixed.
Remote format string vulnerability.
<URL:http://packetstormsecurity.nl/advisories/misc/H20020304.txt>
<URL:http://online.securityfoucs.com/bid/4225>
+------------------------------------------------------------------------+
Port name:      rsync
Affected:       versions < rsync-2.5.4
Status:         Fixed.
Incorrect group privilege handling, zlib double-free bug.
<URL:http://online.securityfocus.com/bid/4285>
<URL:http://www.rsync.org/>
+------------------------------------------------------------------------+
Port name:      xchat, xchat-devel
Affected:       all versions
Status:         Not yet fixed.
Malicious server may cause xchat to execute arbitrary commands.
<URL:http://online.securityfocus.com/archive/1/264380>
+------------------------------------------------------------------------+

III. Upgrading Ports/Packages

Do one of the following:

1) Upgrade your Ports Collection and rebuild and reinstall the port.
Several tools are available in the Ports Collection to make this
easier.  See:
  /usr/ports/devel/portcheckout
  /usr/ports/misc/porteasy
  /usr/ports/sysutils/portupgrade

2) Deinstall the old package and install a new package obtained from

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/

Packages are not automatically generated for other architectures at
this time.


+------------------------------------------------------------------------+
FreeBSD Security Notices are communications from the Security Officer
intended to inform the user community about potential security issues,
such as bugs in the third-party applications found in the Ports
Collection, which will not be addressed in a FreeBSD Security
Advisory.

Feedback on Security Notices is welcome at <security-officer@FreeBSD.org>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPK28lVUuHi5z0oilAQGUuQP/aBo4NQLKF4qiFxvy6+Z0FyMGChECbZYr
3TR2OLdPks0xuoIgbpPAstrTeFbCRe7m59zCibdbRCpUd167QAUEF72nICmcQmYa
+ZEFGUHcMxNg09LUd7MxDg1LbczBX7L1SFKFaZOCGuzPa6SrsbvPFbXO7hUu+nSI
nH5M1Y1F9rk=
=hHhx
-----END PGP SIGNATURE-----