Date: Thu, 1 Feb 2001 15:18:26 -0500 From: Will Andrews <will@physics.purdue.edu> To: Paul Andrews <andrews@powersurfr.com> Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 Message-ID: <20010201151826.C479@puck.firepipe.net> In-Reply-To: <005301c08c89$33722260$b13e6c18@videon.ca>; from andrews@powersurfr.com on Thu, Feb 01, 2001 at 12:57:26PM -0700 References: <200101300909.f0U99qv87528@freefall.freebsd.org> <005301c08c89$33722260$b13e6c18@videon.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--QnGs129iAKyuXRcc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 01, 2001 at 12:57:26PM -0700, Paul Andrews wrote: > Does this issue affect only those that installed the XFree86 3.3.6 port or > does it also affect those who have installed FreeBSD 4.2 RELEASE. FreeBSD !=3D XFree86. The advisory specifies what is vulnerable. > If it does affect the RELEASE version what is the easiest why to fix this > problem, without upgrading to XFree86 4.01. If you have no users, just firewall off your X sockets (or tell X to turn them off). If you have users, just make sure they can't run anything setuid linked to libX11. 8) For other fixes, see below (as specified in the advisory): > > 1) Upgrade your entire ports collection and rebuild the XFree86-3.3.6 > > port. > > > > 2) Deinstall the old package and install an XFree86-4.0.2 package > > obtained from: > > > > [i386] > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree8= 6-4 > .0.2_5.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree8= 6-4 > .0.2_5.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree= 86- > 4.0.2_5.tgz > > > > [alpha] > > Packages are not automatically generated for the alpha architecture at > > this time due to lack of build resources. > > > > NOTE: XFree86-3.3.6 packages are no longer made available, only the > > newer XFree86-4.0.2 packages. > > > > Note also that the XFree86-aoutlibs port has not yet been fixed: there > > is currently no solution to the problem other than removing the > > port/package and recompiling any dependent software to use ELF > > libraries, or switching to an ELF-based version of the software, if > > available (e.g. the BSD/OS or Linux versions of Netscape, as an > > alternative to the FreeBSD native version). The potential impact of > > the vulnerabilities to the local environment may be deemed not > > sufficiently great to warrant this approach, however. > > > > 3) download a new port skeleton for the XFree86-3.3.6 port from: > > > > http://www.freebsd.org/ports/ > > > > and use it to rebuild the port. > > > > 4) Use the portcheckout utility to automate option (3) above. The > > portcheckout port is available in /usr/ports/devel/portcheckout or the > > package can be obtained from: > > > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/port= che > ckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/port= che > ckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/por= tch > eckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/por= tch > eckout-2.0.tgz > > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/po= rtc > heckout-2.0.tgz --=20 wca --QnGs129iAKyuXRcc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6ecSSF47idPgWcsURAsq0AJ0XSfkjTM9YLQ8Pk67FvIfbKfpPPACfcZSA aUpv0caroS9je49tfkCTdhA= =JO6J -----END PGP SIGNATURE----- --QnGs129iAKyuXRcc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010201151826.C479>