-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SN-02:06 Security Notice The FreeBSD Project Topic: security issues in ports Announced: 2002-10-10 I. Introduction Several ports in the FreeBSD Ports Collection are affected by security issues. These are listed below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. The listed vulnerabilities are not specific to FreeBSD unless otherwise noted. These ports are not installed by default, nor are they ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: apache13, apache13+ipv6, apache13-fp, apache13-modssl and apache13-ssl Status: Fixed (apache13, apache13+ipv6, apache13-fp and apache13-modssl) Not fixed (apache13-ssl) Affected: versions < apache+ipv6-1.3.27 versions < apache+mod_ssl-1.3.27+2.8.11 versions < apache-1.3.27 versions < apache_fp-1.3.27 versions < ru-apache-1.3.27.30.16 Attackers can cause httpd to spawn new processes, or can kill other processes, resulting in denial of service. +------------------------------------------------------------------------+ Port name: gaim Affected: versions < gaim-0.59.1 Status: Fixed The URL handler in the manual browser option for Gaim before 0.59.1 fails to escape shell metacharacters in links. +------------------------------------------------------------------------+ Port name: gallery Affected: versions < gallery-1.3.1 Status: Fixed Remotely exploitable. +------------------------------------------------------------------------+ Port name: gtar Affected: versions < gtar-1.13.25_5 Status: Fixed Directory traversal bug allows files to be overwritten unexpectedly when an archive is extracted. +------------------------------------------------------------------------+ Port name: hylafax Affected: versions < hylafax-4.1.3 Status: Fixed Format string vulnerability and buffer overflow resulting in potential denial of service attack, arbitrary code execution as root, and elevation of privilege. +------------------------------------------------------------------------+ Port name: linux_base-6 Affected: versions < linux_base-6.1_2 Status: Fixed multiple vulnerabilities in Xlib +------------------------------------------------------------------------+ Port name: linux_base and linux_base-6 Affected: versions < linux_base-7.1_1 (linux_base) versions < linux_base-6.1_2 (linux_base-6) Status: Fixed XDR RPC and resolver buffer overflows in glibc +------------------------------------------------------------------------+ Port name: linux-flashplugin Affected: versions < linux-flashplugin-5.0r50 Status: Fixed A buffer overflow allowed execution of arbitrary code. Another bug allowed the contents of users' files to be sent to a malicious Web server. +------------------------------------------------------------------------+ Port name: mozilla, mozilla-devel Affected: versions < mozilla-1.0.1_1,2 (mozilla) versions < linux-mozilla-1.0_1 (mozilla-devel) Status: Not fixed An overflow exists in the Chatzilla IRC client. It can cause Mozilla to crash even if the demonstration page does not cause the crash. According to Robert Ginda, the bug does not allow execution of malicious code. Chatzilla had been disabled in the affected ports, but it was inadvertently enabled again. The presence of Chatzilla is indicated by an icon in the status bar, by an item in the Window menu, and by the existence of the chatzilla.jar file. As a workaround, remove chatzilla.jar. +------------------------------------------------------------------------+ Port name: opera Affected: versions < opera-6.03.20020813 Status: Fixed Buffer overflows in OpenSSL may allow execution of arbitrary code. +------------------------------------------------------------------------+ Port name: php Affected: versions mod_php4-4.0.5 to mod_php4-4.2.2 versions >= php4-4.0.5 to php4-4.2.2 Status: Fixed possible execution of arbitrary code via mail() function +------------------------------------------------------------------------+ Port name: pkzip Affected: all versions Status: Not Fixed If the -rec option is used when extracting an archive, files with "/" as the first character in the path, or with "../" may be extracted. +------------------------------------------------------------------------+ Port name: qmailadmin Affected: versions < qmailadmin-1.0.6 Status: Fixed Installs setuid with exploitable buffer overflow leading to privileges of `vpopmail' user. +------------------------------------------------------------------------+ Port name: unzip Affected: versions < unzip-5.50 Status: Fixed Files with "/" as the first character in the path, or with "../" in the path may be extracted from an archive. +------------------------------------------------------------------------+ Port name: webmin Affected: versions < webmin-1.020 Status: Fixed A prepackaged SSL key was identical for every installation, allowing sessions to be hijacked. +------------------------------------------------------------------------+ Port name: XFree86-4, XFree86-4-Server, XFree86-4-NestServer, XFree86-4-VirtualFramebufferServer, XFree86-4-libraries, XFree86-4-clients Affected: versions < XFree86-Server-4.2.1_1 versions < XFree86-libraries-4.2.1_1 versions < XFree86-clients-4.2.1_1 versions < XFree86-NestServer-4.2.1 versions < XFree86-VirtualFramebufferServer-4.2.1 Status: Fixed Arbitrary code execution in privileged clients; overwriting restricted shared memory segments; others. +------------------------------------------------------------------------+ Port name: xinetd Affected: versions < xinetd-2.3.7 Status: Fixed A file descriptor leak in xinetd could give an unprivileged process the ability to terminate the master xinetd process. +------------------------------------------------------------------------+ III. Upgrading Ports/Packages To upgrade a fixed port/package, perform one of the following: 1) Upgrade your Ports Collection and rebuild and reinstall the port. Several tools are available in the Ports Collection to make this easier. See: /usr/ports/devel/portcheckout /usr/ports/misc/porteasy /usr/ports/sysutils/portupgrade 2) Deinstall the old package and install a new package obtained from [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ Packages are not automatically generated for other architectures at this time. +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBPaTD11UuHi5z0oilAQEXHgP9HR2gmVgRwAvKCqmlQVAEA6N3TwLFu1g/ QXOlOZB0asu4XCFzj7effNVrCMob93ZOMSjDo4+SdKdp11TX3SaOrP3mPUcaimbs owHZD77Rqb4fhajWVPjezYzXpJX0C7qb4HS7SnCzNde98PG+acVcvyGyqmY/9Yuy pVMUC9fjkFY= =ybhF -----END PGP SIGNATURE-----