[olug] Fw: FreeBSD Security Notice FreeBSD-SN-02:02

Brian Roberson roberson at olug.org
Mon May 13 15:33:33 UTC 2002 

----- Original Message -----
From: "FreeBSD Security Advisories" <security-advisories at FreeBSD.org>
To: "FreeBSD Security Advisories" <security-advisories at FreeBSD.org>
Sent: Monday, May 13, 2002 9:28 AM
Subject: FreeBSD Security Notice FreeBSD-SN-02:02


> -----BEGIN PGP SIGNED MESSAGE-----
>
>
============================================================================
=
> FreeBSD-SN-02:02                                              Security
Notice
>                                                           The FreeBSD
Project
>
> Topic:          security issues in ports
> Announced:      2002-05-13
>
> I.   Introduction
>
> Several ports in the FreeBSD Ports Collection are affected by security
> issues.  These are listed below with references and affected versions.
> All versions given refer to the FreeBSD port/package version numbers.
> The listed vulnerabilities are not specific to FreeBSD unless
> otherwise noted.
>
> These ports are not installed by default, nor are they ``part of
> FreeBSD'' as such.  The FreeBSD Ports Collection contains thousands of
> third-party applications in a ready-to-install format.  FreeBSD makes
> no claim about the security of these third-party applications.  See
> <URL:http://www.freebsd.org/ports/> for more information about the
> FreeBSD Ports Collection.
>
> II.  Ports
>
> +------------------------------------------------------------------------+
> Port name:      analog
> Affected:       versions < analog-5.22
> Status:         Fixed
> Cross-site scripting attack.
> <URL:http://www.analog.cx/security4.html>
> +------------------------------------------------------------------------+
> Port name:      ascend-radius, freeradius-devel, icradius, radius-basic,
>                   radiusclient, radiusd-cistron, xtradius
> Affected:       versions < radiusd-cistron-1.6.6
>                 all versions of ascend-radius, freeradius-devel, icradius,
>                   radius-basic, radiusclient
> Status:         Fixed: radiusd-cistron
>                 Not fixed: all others
> Digest Calculation buffer overflow and/or insufficient validation of
> attribute lengths.
> <URL:http://www.security.nnov.ru/advisories>
> +------------------------------------------------------------------------+
> Port name:      dnews
> Affected:       versions < dnews-5.5h2
> Status:         Fixed
> ``Security fault.''
>
<URL:http://netwinsite.com/cgi/dnewsweb.cgi?cmd=article&group=netwin.dnews&i
tem=7223&utag=>
> +------------------------------------------------------------------------+
> Port name:      ethereal
> Affected:       versions < ethereal-0.9.3
> Status:         Fixed
> SNMP vulnerability: malformed SNMP packets may cause ethereal to crash.
> <URL:http://www.ethereal.com/appnotes/enpa-sa-00003.html>
> +------------------------------------------------------------------------+
> Port name:      icecast
> Affected:       versions < icecast-1.3.12
> Status:         Fixed
> Directory traversal vulnerability.
> Remote attackers may cause a denial of service via a URL that ends in
> . (dot), / (forward slash), or \ (backward slash).
> Buffer overflows may allow remote attackers to execute arbitrary code or
> cause a denial of service.
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0784>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1083>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1229>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1230>
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0177>
> +------------------------------------------------------------------------+
> Port name:      isc-dhcp3
> Affected:       versions < dhcp-3.0.1.r8_1
> Status:         Fixed
> Format string vulnerability when logging DNS-update request transactions.
> <URL:http://www.cert.org/advisories/CA-2002-12.html>
> <URL:http://www.ngsec.com/docs/advisories/NGSEC-2002-2.txt>
> +------------------------------------------------------------------------+
> Port name:      jdk, jdk12-beta
> Affected:       all versions
> Status:         Not fixed
> ``A vulnerability in the Java(TM) Runtime Environment may allow an
> untrusted applet to monitor requests to and responses from an HTTP
> proxy server when a persistent connection is used between a client and
> an HTTP proxy server.''
> <URL:http://sunsolve.sun.com/security> (Bulletin 216)
> +------------------------------------------------------------------------+
> Port name:      linux-mozilla, mozilla
> Affected:       versions < linux-mozilla-0.9.9.2002050810
>                 versions < mozilla-1.0.rc1_3,1
> Status:         Fixed
> Buffer overflow in Chatzilla.  XMLHttpRequest allows reading of local
> files.
> <URL:http://online.securityfocus.com/archive/1/270807>
> +------------------------------------------------------------------------+
> Port name:      mod_python
> Affected:       versions < mod_python-2.7.8
> Status:         Fixed
> A publisher may access an indirectly imported module allowing a remote
> attacker to call functions from that module.
> <URL:http://www.modpython.org/pipermail/mod_python/2002-April/001991.html>
> +------------------------------------------------------------------------+
> Port name:      ntop
> Affected:       all versions
> Status:         Not fixed
> ``Preauthentication Remote Root Hole in NTOP''
> <URL:http://online.securityfocus.com/archive/1/267053>
> <URL:http://online.securityfocus.com/archive/1/267180>
> +------------------------------------------------------------------------+
> Port name:      p5-SOAP-Lite
> Affected:       versions < p5-SOAP-Lite-0.55
> Status:         Fixed
> Client may call any procedure on server.
> <URL:http://use.perl.org/articles/02/04/09/000212.shtml?tid=5>
> <URL:http://www.phrack.com/show.php?p=58&a=9>
> <URL:http://www.soaplite.com/>
> +------------------------------------------------------------------------+
> Port name:      puf
> Affected:       versions < puf-0.93.1
> Status:         Fixed
> Format string vulnerability in error output.
> <URL:http://puf.sourceforge.net/ChangeLog>
> +------------------------------------------------------------------------+
> Port name:      sudo
> Affected:       versions < sudo-1.6.6
> Status:         Fixed
> Heap overflow may allow local users to gain root access.
> <URL:http://www.globalintersec.com/adv/sudo-2002041701.txt>
> +------------------------------------------------------------------------+
> Port name:      webalizer
> Affected:       versions < webalizer-2.1.10
> Status:         Fixed
> Buffer overflow in the DNS resolver code.
> <URL:http://www.mrunix.net/webalizer/news.html>
> <URL:http://online.securityfocus.com/archive/1/267551>
> <URL:http://online.securityfocus.com/bid/4504>
> +------------------------------------------------------------------------+
> Port name:      xpilot
> Affected:       versions < xpilot-4.5.2
> Status:         Fixed
> Stack buffer overflow in server.
> <URL:http://www.debian.org/security/2002/dsa-127>
> +------------------------------------------------------------------------+
>
> III. Upgrading Ports/Packages
>
> To upgrade a fixed port/packages, perform one of the following:
>
> 1) Upgrade your Ports Collection and rebuild and reinstall the port.
> Several tools are available in the Ports Collection to make this
> easier.  See:
>   /usr/ports/devel/portcheckout
>   /usr/ports/misc/porteasy
>   /usr/ports/sysutils/portupgrade
>
> 2) Deinstall the old package and install a new package obtained from
>
> [i386]
> ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/
>
> Packages are not automatically generated for other architectures at
> this time.
>
>
> +------------------------------------------------------------------------+
> FreeBSD Security Notices are communications from the Security Officer
> intended to inform the user community about potential security issues,
> such as bugs in the third-party applications found in the Ports
> Collection, which will not be addressed in a FreeBSD Security
> Advisory.
>
> Feedback on Security Notices is welcome at <security-officer at FreeBSD.org>.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (FreeBSD)
> Comment: FreeBSD: The Power To Serve
>
> iQCVAwUBPN/CwlUuHi5z0oilAQERywP/dSqt97FPlLlDJE7tYpA5625FSjqbrWod
> KsoKIBHM2ZIHAjnhAyF82tUT4ivMvJwepk1NE+W9YX77K7n5LHkfqY4kzCaVZJrY
> gkaR63Dw+M5gqJ5FjO0RkSDxsltsKjSa6ZzKxWdAeRwDPbE7CwsjTI2AoS/kzaLw
> ex+PhdbYjbc=
> =fK1t
> -----END PGP SIGNATURE-----
>
> This is the moderated mailing list freebsd-announce.
> The list contains announcements of new FreeBSD capabilities,
> important events and project milestones.
> See also the FreeBSD Web pages at http://www.freebsd.org
>
>
> To Unsubscribe: send mail to majordomo at FreeBSD.org
> with "unsubscribe freebsd-announce" in the body of the message
>



-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

More information about the OLUG mailing list