[olug] Fw: FreeBSD Security Notice FreeBSD-SN-02:03

Brian Roberson roberson at olug.org
Tue May 28 23:06:07 UTC 2002 

----- Original Message -----
From: "FreeBSD Security Advisories" <security-advisories at freebsd.org>
To: "FreeBSD Security Advisories" <security-advisories at freebsd.org>
Sent: Tuesday, May 28, 2002 11:58 AM
Subject: FreeBSD Security Notice FreeBSD-SN-02:03


> -----BEGIN PGP SIGNED MESSAGE-----
>
>
============================================================================
=
> FreeBSD-SN-02:03                                              Security
Notice
>                                                           The FreeBSD
Project
>
> Topic:          security issues in ports
> Announced:      2002-05-28
>
> I.   Introduction
>
> Several ports in the FreeBSD Ports Collection are affected by security
> issues.  These are listed below with references and affected versions.
> All versions given refer to the FreeBSD port/package version numbers.
> The listed vulnerabilities are not specific to FreeBSD unless
> otherwise noted.
>
> These ports are not installed by default, nor are they ``part of
> FreeBSD'' as such.  The FreeBSD Ports Collection contains thousands of
> third-party applications in a ready-to-install format.  FreeBSD makes
> no claim about the security of these third-party applications.  See
> <URL:http://www.freebsd.org/ports/> for more information about the
> FreeBSD Ports Collection.
>
> II.  Ports
>
> +------------------------------------------------------------------------+
> Port name:      amanda
> Affected:       versions <= amanda-2.3.0.4
> Status:         Port removed
> Obsolete versions of Amanda contain multiple buffer overflows.
> <URL:http://online.securityfocus.com/archive/1/274215>
> +------------------------------------------------------------------------+
> Port name:      fetchmail
> Affected:       versions < fetchmail-5.9.11
> Status:         Fixed
> <URL:http://tuxedo.org/~esr/fetchmail/NEWS>
> <URL:http://rhn.redhat.com/errata/RHSA-2002-047.html>
> +------------------------------------------------------------------------+
> Port name:      gaim
> Affected:       versions < gaim-0.58
> Status:         Fixed
> World-readable temp files allow access to gaim users' hotmail
> accounts.
> <URL:http://online.securityfocus.com/archive/1/272180>
> +------------------------------------------------------------------------+
> Port name:      gnokii
> Affected:       versions < gnokii-0.4.0.p20,1
> Status:         Fixed
> Write access to any file in the filesystem.
> <URL:http://www.gnokii.org/news.shtml>
> +------------------------------------------------------------------------+
> Port name:      horde
> Affected:       versions < horde-1.2.8
> Status:         Fixed
> Cross-site scripting attacks.
> +------------------------------------------------------------------------+
> Port name:      imap-uw
> Affected:       all versions
> Status:         Not fixed
> Only when compiled with RFC 1730 support (make -DWITH_RFC1730):
> Remote buffer overflow yielding non-privileged shell access.
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0379>
> <URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102107222100529&w=2>
> +------------------------------------------------------------------------+
> Port name:      imp
> Affected:       versions < imp-2.2.8
> Status:         Fixed
> Cross-site scripting attacks.
> +------------------------------------------------------------------------+
> Port name:      linux-netscape6
> Affected:       versions < 6.2.3
> Status:         Fixed
> XMLHttpRequest allows reading of local files.
> <URL:http://online.securityfocus.com/archive/1/270807>
> +------------------------------------------------------------------------+
> Port name:      mnogosearch
> Affected:       versions < mnogosearch-3.1.19_2
> Status:         Fixed
> Long query can be abused to execute code with webserver privileges.
> <URL:http://online.securityfocus.com/archive/1/272025>
> +------------------------------------------------------------------------+
> Port name:      mpg321
> Affected:       versions < mpg321-0.2.9
> Status:         Fixed
> Buffer overflow may allow remote attackers to execute arbitrary code via
> streaming data.
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0272>
> +------------------------------------------------------------------------+
> Port name:      ssh2
> Affected:       all versions
> Status:         Not fixed
> Password authentication may be used even if password authentication
> is disabled.
> <URL:http://www.ssh.com/products/ssh/advisories/authentication.cfm>
> +------------------------------------------------------------------------+
> Port name:      tinyproxy
> Affected:       versions < tinyproxy-1.5.0
> Status:         Fixed
> Invalid query could allow execution of arbitrary code.
> <URL:http://tinyproxy.sourceforge.net/NEWS>
> +------------------------------------------------------------------------+
> Port name:      webmin
> Affected:       versions < webmin-0.970
> Status:         Fixed
> Remote attacker can login to Webmin as any user.
> <URL:http://www.webmin.com/webmin/changes.html>
> +------------------------------------------------------------------------+
>
> III. Upgrading Ports/Packages
>
> To upgrade a fixed port/package, perform one of the following:
>
> 1) Upgrade your Ports Collection and rebuild and reinstall the port.
> Several tools are available in the Ports Collection to make this
> easier.  See:
>   /usr/ports/devel/portcheckout
>   /usr/ports/misc/porteasy
>   /usr/ports/sysutils/portupgrade
>
> 2) Deinstall the old package and install a new package obtained from
>
> [i386]
> ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/
>
> Packages are not automatically generated for other architectures at
> this time.
>
>
> +------------------------------------------------------------------------+
> FreeBSD Security Notices are communications from the Security Officer
> intended to inform the user community about potential security issues,
> such as bugs in the third-party applications found in the Ports
> Collection, which will not be addressed in a FreeBSD Security
> Advisory.
>
> Feedback on Security Notices is welcome at <security-officer at FreeBSD.org>.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (FreeBSD)
>
> iQCVAwUBPPPEdFUuHi5z0oilAQFW8wP8CXG3dQyI5VPLp0m6frS4BtNtlkjOpq87
> R/8FrDizVNGQ88+NzdPPPYWh8joAPGJZSXrWrSWKSge2dqEDK4CTpJ5BFzpQsxUZ
> kexaZ43DRxrUMQN1AWDyarE+/y8uCk3BnJTWhNLOf2HeOYNekOn/BHQ53ucpoaKs
> QQEX171+Jnk=
> =Z1i5
> -----END PGP SIGNATURE-----
>
> This is the moderated mailing list freebsd-announce.
> The list contains announcements of new FreeBSD capabilities,
> important events and project milestones.
> See also the FreeBSD Web pages at http://www.freebsd.org
>
>
> To Unsubscribe: send mail to majordomo at FreeBSD.org
> with "unsubscribe freebsd-announce" in the body of the message
>


-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

More information about the OLUG mailing list