Archive of FreeBSD Security general posting, FreeBSD Security Notice FreeBSD-SN-02:03

29/05/02, FreeBSD Security Notice FreeBSD-SN-02:03
From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
Subject: FreeBSD Security Notice FreeBSD-SN-02:03
From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
Date: Tue, 28 May 2002 10:58:17 -0700 (PDT)
List-archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-id: <freebsd-announce.FreeBSD.ORG>
List-subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-announce>
List-unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-announce>
Reply-to: security-advisories@FreeBSD.ORG
Sender: owner-freebsd-announce@FreeBSD.ORG

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SN-02:03                                              Security Notice
                                                          The FreeBSD Project

Topic:          security issues in ports
Announced:      2002-05-28

I.   Introduction

Several ports in the FreeBSD Ports Collection are affected by security
issues.  These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
The listed vulnerabilities are not specific to FreeBSD unless
otherwise noted.

These ports are not installed by default, nor are they ``part of
FreeBSD'' as such.  The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format.  FreeBSD makes
no claim about the security of these third-party applications.  See
<URL:http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.

II.  Ports

+------------------------------------------------------------------------+
Port name:      amanda
Affected:       versions <= amanda-2.3.0.4
Status:         Port removed
Obsolete versions of Amanda contain multiple buffer overflows.
<URL:http://online.securityfocus.com/archive/1/274215>
+------------------------------------------------------------------------+
Port name:      fetchmail
Affected:       versions < fetchmail-5.9.11
Status:         Fixed
<URL:http://tuxedo.org/~esr/fetchmail/NEWS>
<URL:http://rhn.redhat.com/errata/RHSA-2002-047.html>
+------------------------------------------------------------------------+
Port name:      gaim
Affected:       versions < gaim-0.58
Status:         Fixed
World-readable temp files allow access to gaim users' hotmail
accounts.
<URL:http://online.securityfocus.com/archive/1/272180>
+------------------------------------------------------------------------+
Port name:      gnokii
Affected:       versions < gnokii-0.4.0.p20,1
Status:         Fixed
Write access to any file in the filesystem.
<URL:http://www.gnokii.org/news.shtml>
+------------------------------------------------------------------------+
Port name:      horde
Affected:       versions < horde-1.2.8
Status:         Fixed
Cross-site scripting attacks.
+------------------------------------------------------------------------+
Port name:      imap-uw
Affected:       all versions
Status:         Not fixed
Only when compiled with RFC 1730 support (make -DWITH_RFC1730):
Remote buffer overflow yielding non-privileged shell access.
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0379>
<URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102107222100529&w=2>
+------------------------------------------------------------------------+
Port name:      imp
Affected:       versions < imp-2.2.8
Status:         Fixed
Cross-site scripting attacks.
+------------------------------------------------------------------------+
Port name:      linux-netscape6
Affected:       versions < 6.2.3
Status:         Fixed
XMLHttpRequest allows reading of local files.
<URL:http://online.securityfocus.com/archive/1/270807>
+------------------------------------------------------------------------+
Port name:      mnogosearch
Affected:       versions < mnogosearch-3.1.19_2
Status:         Fixed
Long query can be abused to execute code with webserver privileges.
<URL:http://online.securityfocus.com/archive/1/272025>
+------------------------------------------------------------------------+
Port name:      mpg321
Affected:       versions < mpg321-0.2.9
Status:         Fixed
Buffer overflow may allow remote attackers to execute arbitrary code via
streaming data.
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0272>
+------------------------------------------------------------------------+
Port name:      ssh2
Affected:       all versions
Status:         Not fixed
Password authentication may be used even if password authentication
is disabled.
<URL:http://www.ssh.com/products/ssh/advisories/authentication.cfm>
+------------------------------------------------------------------------+
Port name:      tinyproxy
Affected:       versions < tinyproxy-1.5.0
Status:         Fixed
Invalid query could allow execution of arbitrary code.
<URL:http://tinyproxy.sourceforge.net/NEWS>
+------------------------------------------------------------------------+
Port name:      webmin
Affected:       versions < webmin-0.970
Status:         Fixed
Remote attacker can login to Webmin as any user.
<URL:http://www.webmin.com/webmin/changes.html>
+------------------------------------------------------------------------+

III. Upgrading Ports/Packages

To upgrade a fixed port/package, perform one of the following:

1) Upgrade your Ports Collection and rebuild and reinstall the port.
Several tools are available in the Ports Collection to make this
easier.  See:
  /usr/ports/devel/portcheckout
  /usr/ports/misc/porteasy
  /usr/ports/sysutils/portupgrade

2) Deinstall the old package and install a new package obtained from

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/

Packages are not automatically generated for other architectures at
this time.


+------------------------------------------------------------------------+
FreeBSD Security Notices are communications from the Security Officer
intended to inform the user community about potential security issues,
such as bugs in the third-party applications found in the Ports
Collection, which will not be addressed in a FreeBSD Security
Advisory.

Feedback on Security Notices is welcome at <security-officer@FreeBSD.org>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPPPEdFUuHi5z0oilAQFW8wP8CXG3dQyI5VPLp0m6frS4BtNtlkjOpq87
R/8FrDizVNGQ88+NzdPPPYWh8joAPGJZSXrWrSWKSge2dqEDK4CTpJ5BFzpQsxUZ
kexaZ43DRxrUMQN1AWDyarE+/y8uCk3BnJTWhNLOf2HeOYNekOn/BHQ53ucpoaKs
QQEX171+Jnk=
=Z1i5
-----END PGP SIGNATURE-----

This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at http://www.freebsd.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-announce" in the body of the message


Previous message sorted by date: FreeBSD Security Notice FreeBSD-SN-02:02
Next message sorted by date: FreeBSD Security Notice FreeBSD-SN-02:04
Previous message sorted by thread: FreeBSD Security Notice FreeBSD-SN-02:02
Next message by thread: FreeBSD Security Notice FreeBSD-SN-02:04
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jan 2003