[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: FreeBSD Security Notice FreeBSD-SN-02:01
From: FreeBSD Security Advisories <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Fri, 5 Apr 2002 07:15:02 -0800 (PST)


FreeBSD-SN-02:01                                              Security Notice
                                                                FreeBSD, Inc.

Topic:          security issues in ports
Announced:      2002-03-30

I.   Introduction

Several ports in the FreeBSD Ports Collection are affected by security
issues.  These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.

These ports are not installed by default, nor are they ``part of
FreeBSD'' as such.  The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format.  FreeBSD makes
no claim about the security of these third-party applications.  See
<URL:http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.

II.  Ports

Port name:      acroread, acroread-chsfont, acroread-chtfont,
                  acroread-commfont, acroread4, linux-mozilla,
                  linux-netscape6, linux_base, linux_base-7
Affected:       versions < linux_base-6.1_1 (linux_base port)
                versions < linux_base-7.1_2 (linux_base-7 port)
                versions < linux_mozilla-0.9.9_1
                all versions of all acroread ports
                all versions of linux-netscape6
Status:         Fixed: linux_base, linux_base-7, linux-mozilla.
                Not fixed: acroread, acroread-chsfont, acroread-chtfont,
                  acroread-commfont, acroread4, linux-netscape6.
These Linux binaries utilize versions of zlib which may contain an
exploitable double-free bug.
Port name:      apache13-ssl, apache13-modssl
Affected:       all versions of apache+ssl
                all versions of apache+mod_ssl
Status:         Not yet fixed.
Buffer overflows in SSL session cache handling.
Port name:      bulk_mailer
Affected:       all versions
Status:         Not yet fixed.
Buffer overflows, temporary file race.
Port name:      cups, cups-base, cups-lpr
Affected:       versions < cups-1.1.14
                versions < cups-base-1.1.14
                versions < cups-lpr-1.1.14
Status:         Fixed.
Buffer overflows in IPP code.
Port name:      fileutils
Affected:       all versions
Status:         Not yet fixed.
Race condition in directory removal.
Port name:      imlib
Affected:       versions < imlib-1.9.13
Status:         Fixed.
Heap corruption in image handling.
Port name:      listar, ecartis
Affected:       versions < ecartis-1.0.0b
                all versions of listar
Status:         Fixed: ecartis.
                Not fixed: listar.
Local and remote buffer overflows, incorrect privilege handling.
Port name:      mod_php3, mod_php4
Affected:       versions < mod_php3-3.0.18_3
                versions < mod_php4-4.1.2
Status:         Fixed.
Vulnerabilities in file upload handling.
Port name:      ntop
Affected:       all versions
Status:         Not yet fixed.
Remote format string vulnerability.
Port name:      rsync
Affected:       versions < rsync-2.5.4
Status:         Fixed.
Incorrect group privilege handling, zlib double-free bug.
Port name:      xchat, xchat-devel
Affected:       all versions
Status:         Not yet fixed.
Malicious server may cause xchat to execute arbitrary commands.

III. Upgrading Ports/Packages

Do one of the following:

1) Upgrade your Ports Collection and rebuild and reinstall the port.
Several tools are available in the Ports Collection to make this
easier.  See:

2) Deinstall the old package and install a new package obtained from


Packages are not automatically generated for other architectures at
this time.

FreeBSD Security Notices are communications from the Security Officer
intended to inform the user community about potential security issues,
such as bugs in the third-party applications found in the Ports
Collection, which will not be addressed in a FreeBSD Security

Feedback on Security Notices is welcome at <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org


To Unsubscribe: send mail to This email address is being protected from spambots. You need JavaScript enabled to view it.
with "unsubscribe freebsd-security-notifications" in the body of the message

Powered by: MHonArc