[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Subject: FreeBSD Security Notice FreeBSD-SN-02:02
From: FreeBSD Security Advisories <
Date: Mon, 13 May 2002 07:28:30 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SN-02:02 Security Notice The FreeBSD Project Topic: security issues in ports Announced: 2002-05-13 I. Introduction Several ports in the FreeBSD Ports Collection are affected by security issues. These are listed below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. The listed vulnerabilities are not specific to FreeBSD unless otherwise noted. These ports are not installed by default, nor are they ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See <URL:http://www.freebsd.org/ports/> for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: analog Affected: versions < analog-5.22 Status: Fixed Cross-site scripting attack. <URL:http://www.analog.cx/security4.html> +------------------------------------------------------------------------+ Port name: ascend-radius, freeradius-devel, icradius, radius-basic, radiusclient, radiusd-cistron, xtradius Affected: versions < radiusd-cistron-1.6.6 all versions of ascend-radius, freeradius-devel, icradius, radius-basic, radiusclient Status: Fixed: radiusd-cistron Not fixed: all others Digest Calculation buffer overflow and/or insufficient validation of attribute lengths. <URL:http://www.security.nnov.ru/advisories> +------------------------------------------------------------------------+ Port name: dnews Affected: versions < dnews-5.5h2 Status: Fixed ``Security fault.'' <URL:http://netwinsite.com/cgi/dnewsweb.cgi?cmd=article&group=netwin.dnews&item=7223&utag=> +------------------------------------------------------------------------+ Port name: ethereal Affected: versions < ethereal-0.9.3 Status: Fixed SNMP vulnerability: malformed SNMP packets may cause ethereal to crash. <URL:http://www.ethereal.com/appnotes/enpa-sa-00003.html> +------------------------------------------------------------------------+ Port name: icecast Affected: versions < icecast-1.3.12 Status: Fixed Directory traversal vulnerability. Remote attackers may cause a denial of service via a URL that ends in . (dot), / (forward slash), or \ (backward slash). Buffer overflows may allow remote attackers to execute arbitrary code or cause a denial of service. <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0784> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1083> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1229> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1230> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0177> +------------------------------------------------------------------------+ Port name: isc-dhcp3 Affected: versions < dhcp-3.0.1.r8_1 Status: Fixed Format string vulnerability when logging DNS-update request transactions. <URL:http://www.cert.org/advisories/CA-2002-12.html> <URL:http://www.ngsec.com/docs/advisories/NGSEC-2002-2.txt> +------------------------------------------------------------------------+ Port name: jdk, jdk12-beta Affected: all versions Status: Not fixed ``A vulnerability in the Java(TM) Runtime Environment may allow an untrusted applet to monitor requests to and responses from an HTTP proxy server when a persistent connection is used between a client and an HTTP proxy server.'' <URL:http://sunsolve.sun.com/security> (Bulletin 216) +------------------------------------------------------------------------+ Port name: linux-mozilla, mozilla Affected: versions < linux-mozilla-0.9.9.2002050810 versions < mozilla-1.0.rc1_3,1 Status: Fixed Buffer overflow in Chatzilla. XMLHttpRequest allows reading of local files. <URL:http://online.securityfocus.com/archive/1/270807> +------------------------------------------------------------------------+ Port name: mod_python Affected: versions < mod_python-2.7.8 Status: Fixed A publisher may access an indirectly imported module allowing a remote attacker to call functions from that module. <URL:http://www.modpython.org/pipermail/mod_python/2002-April/001991.html> +------------------------------------------------------------------------+ Port name: ntop Affected: all versions Status: Not fixed ``Preauthentication Remote Root Hole in NTOP'' <URL:http://online.securityfocus.com/archive/1/267053> <URL:http://online.securityfocus.com/archive/1/267180> +------------------------------------------------------------------------+ Port name: p5-SOAP-Lite Affected: versions < p5-SOAP-Lite-0.55 Status: Fixed Client may call any procedure on server. <URL:http://use.perl.org/articles/02/04/09/000212.shtml?tid=5> <URL:http://www.phrack.com/show.php?p=58&a=9> <URL:http://www.soaplite.com/> +------------------------------------------------------------------------+ Port name: puf Affected: versions < puf-0.93.1 Status: Fixed Format string vulnerability in error output. <URL:http://puf.sourceforge.net/ChangeLog> +------------------------------------------------------------------------+ Port name: sudo Affected: versions < sudo-1.6.6 Status: Fixed Heap overflow may allow local users to gain root access. <URL:http://www.globalintersec.com/adv/sudo-2002041701.txt> +------------------------------------------------------------------------+ Port name: webalizer Affected: versions < webalizer-2.1.10 Status: Fixed Buffer overflow in the DNS resolver code. <URL:http://www.mrunix.net/webalizer/news.html> <URL:http://online.securityfocus.com/archive/1/267551> <URL:http://online.securityfocus.com/bid/4504> +------------------------------------------------------------------------+ Port name: xpilot Affected: versions < xpilot-4.5.2 Status: Fixed Stack buffer overflow in server. <URL:http://www.debian.org/security/2002/dsa-127> +------------------------------------------------------------------------+ III. Upgrading Ports/Packages To upgrade a fixed port/packages, perform one of the following: 1) Upgrade your Ports Collection and rebuild and reinstall the port. Several tools are available in the Ports Collection to make this easier. See: /usr/ports/devel/portcheckout /usr/ports/misc/porteasy /usr/ports/sysutils/portupgrade 2) Deinstall the old package and install a new package obtained from [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ Packages are not automatically generated for other architectures at this time. +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at <This email address is being protected from spambots. You need JavaScript enabled to view it. >. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBPN/CwlUuHi5z0oilAQERywP/dSqt97FPlLlDJE7tYpA5625FSjqbrWod KsoKIBHM2ZIHAjnhAyF82tUT4ivMvJwepk1NE+W9YX77K7n5LHkfqY4kzCaVZJrY gkaR63Dw+M5gqJ5FjO0RkSDxsltsKjSa6ZzKxWdAeRwDPbE7CwsjTI2AoS/kzaLw ex+PhdbYjbc= =fK1t -----END PGP SIGNATURE----- To Unsubscribe: send mail toThis email address is being protected from spambots. You need JavaScript enabled to view it. with "unsubscribe freebsd-security-notifications" in the body of the message
Powered by: | MHonArc |