From owner-freebsd-announce Mon Dec 17 10:19:38 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A095537B416; Mon, 17 Dec 2001 10:19:14 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fBHIJEw62768; Mon, 17 Dec 2001 10:19:14 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Mon, 17 Dec 2001 10:19:14 -0800 (PST) Message-Id: <200112171819.fBHIJEw62768@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:67.htdig Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:67 Security Advisory FreeBSD, Inc. Topic: htdig configuration file vulnerability Category: ports Module: htdig Announced: 2001-12-17 Credits: Rafal Wojtczuk Affects: Ports collection prior to the correction date Corrected: 2001-09-25 07:08:47 2001 UTC FreeBSD only: NO I. Background htsearch is a part of htdig. The htdig system is a complete World Wide Web indexing and searching system. II. Problem Description htsearch can be run either remotely as a CGI or from the command line. htsearch supports several options for use from the command line, such as an option specifying a configuration file that it should use. However, these options are not limited to use via the command line. When run as a CGI script, htsearch still honors these options, which may be passed as part of the URL. As a result, a remote attacker can request that htsearch use any file that the webserver has sufficient privilege to read as a configuration file. The htsearch port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A remote attacker may use htsearch as a kind of denial-of-service attack by causing it to read a never-ending special file such as `/dev/null'. More seriously, if the attacker has a local account or can otherwise create a file on the target system (such as via anonymous FTP upload or Samba), then he can remotely read any file on the target system for which the webserver has sufficient privilege. IV. Workaround 1) Deinstall the htdig port/package if you have it installed. V. Solution 1) Upgrade your entire ports collection and rebuild the htdig port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/textproc/htdig-3.1.5_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/textproc/htdig-3.1.5_1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the htdig port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/textproc/htdig/Makefile 1.20 ports/textproc/htdig/file/patch-htsearch_cc 1.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Comment: http://www.nectar.cc/pgp iQCVAwUBPB4x3FUuHi5z0oilAQHsFgP/XYz0xj2mb7RjsKxkrM0Ymtur3CJAWjc/ 2lNGjTWMCg46PFX+wlLkd5O37Ryr6wPALamLJu30WmYNgIMPU64vlTrqXVzgPgwv ZZP3xv8qKTNrZwo40QYxTgeWF2dxIHAztrcD25CEUvrgPTAs0ZjwLKoVxM3sCqyl Fr2A/AN+JWw= =oZgk -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Dec 17 10:19:43 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 12ACA37B425; Mon, 17 Dec 2001 10:19:21 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fBHIJKs62840; Mon, 17 Dec 2001 10:19:20 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Mon, 17 Dec 2001 10:19:20 -0800 (PST) Message-Id: <200112171819.fBHIJKs62840@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:68.xsane Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:68 Security Advisory FreeBSD, Inc. Topic: xsane port uses insecure temporary file handling Category: ports Module: xsane Announced: 2001-12-17 Credits: Tim Waugh , michal@harddata.com Affects: Ports collection prior to the correction date Corrected: 2001-12-14 01:58:36 UTC FreeBSD only: NO I. Background The XSane application is a gtk based X11 front-end to the SANE (Scanner Access Now Easy) library used to interface with scanners. XSane will acquire images using devices such as scanners and cameras. II. Problem Description XSane creates temporary files in /tmp during the process of scanning images and to communicate with SANE (the back-end application which actually performs the scans) during image preview and save. However XSane creates temporary files using mktemp(3), which can be easily predicted (see the BUGS section of the mktemp(3) man page). This makes XSane vulnerable to exploit, opening the opportunity for a user's files to be overwritten through a race condition. The xsane port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A local user may be able to cause xsane (run by another user) to overwrite any file for which the latter user has sufficient privilege. While it is advisable to run XSane with a non-privileged user account, many users run it using the root account, increasing the risk. IV. Workaround 1) Deinstall the xsane port/package if you have it installed. V. Solution 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/graphics/xsane-0.82.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/graphics/xsane-0.82.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) Download a new port skeleton for the xsane port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/graphics/xsane/Makefile 1.30 ports/graphics/xsane/distinfo 1.20 ports/graphics/xsane/pkg-plist 1.18 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Comment: http://www.nectar.cc/pgp iQCVAwUBPB4x0lUuHi5z0oilAQGbNwP+NZpON4EgH8X/5Jzqr9ITnB4R3ljyka52 lf1fuHrVgX1JJAi5SCFcNaJWcLC44Y24+Yzs4b3zsGszMS+dkG8GrkO+wD2nsTjq KTEGy8o+3Wyon/gcGQkU1AyhLdfticZhVSTubkcfg8AZUvkQV7zPuvLVronOcYGb QKpTRN0MDJo= =qr4R -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Sat Dec 22 1:26:41 2001 Delivered-To: freebsd-announce@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 9B35037B435 for ; Fri, 21 Dec 2001 14:29:25 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA02416 for ; Fri, 21 Dec 2001 15:29:10 -0700 (MST) Message-Id: <4.3.2.7.2.20011221152822.00d73700@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 21 Dec 2001 15:29:07 -0700 To: announce@freeBSD.org From: Brett Glass Subject: O'Reilly Open Source Convention (July 2002) Call for Papers Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For Immediate Release December 21, 2001 For more information contact: Suzanne Axtell, (707) 827-7114 or suzanne@oreilly.com AT THE HEART OF THE MOVEMENT: PARTICIPATE IN THE O'REILLY OPEN SOURCE CONVENTION Sebastopol, CA--One of the most anticipated open source conferences is gearing up for its 2002 edition: the O'Reilly Open Source Convention. The creators, players, pundits, and products come together annually at the O'Reilly Open Source Convention, happening this year at the Sheraton San Diego Hotel and Marina in sunny San Diego, California, July 22-26, 2002. CALL FOR PARTICIPATION This five-day event is designed for programmers, developers, strategists, and technical staff involved in open source technology and its applications. We're especially seeking presentations that invoke open source's innovative, do-more-with-less origins and address the challenges of today's economic turbulence. What technologies will thrive, and help us to thrive, in the future? Creating and reinvesting in community is at the core of open source philosophy--what open source initiatives continue to strengthen these values? The O'Reilly Open Source Convention begins with two days of rigorous tutorials aimed at novices and experienced users of Perl, MySQL, PHP, Python, XML, Linux, and other key open source technologies. All tutorials are designed to provide concrete knowledge that leads directly to greater productivity. Following the tutorial sessions are three days of multi-tracked convention sessions focusing on leading technologies, best practices and case studies, feature talks, demonstrations, and panel debates examining: Perl, PHP, XML, databases (MySQL, PostgreSQL, Redhat DB, Sleepycat), operating systems (Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X), Python, Apache, and Java. Emerging topics, ethics, and political and legal issues will also share the debate limelight. All presenters whose talks are accepted will receive free registration at the conference. Deadline for submission of proposals is March 1, 2002. Speakers will be notified by March 11, 2002. Convention registration opens April 1, 2002. For more information about the 2002 O'Reilly Open Source Convention, visit: http://conferences.oreillynet.com/os2002/ For more details about tutorial and convention session topics, and to submit a proposal, go to: http://conferences.oreillynet.com/cs/os2002/create/e_sess EXHIBITION AND SPONSORSHIP If you are interested in exhibiting or sponsoring the convention, contact Andrew Calvo at 707-827-7176, or andrewc@oreilly.com. WORDS ABOUT THE 2001 O'REILLY OPEN SOURCE CONVENTION "It's a rare thing to attend a computing conference where something actually happens--here, instead of people waxing profound on the possibilities of this technology or that (in between coffee breaks), you get a surprise announcement that's certain to shake up the world as we know it. But there's a sense here this week that this conference--the O'Reilly Open Source Convention--might be one of those that amounts to something: Minds will be changed. People will see the light. The world will be better after this." --Farhad Manjoo, Wired, July 25, 2001 "O'Reilly's Open Source Conference (OSCON) is easily the most interesting technical event I attend every year. Each day at the conference I get the chance to talk with brilliant, passionate people who have done amazing work. I doubt that in the course of my life I will ever be in a place where the average IQ or level of dedication is any higher."--WebMonkey, August 2, 2001 Miss last year's Convention? (Craig Mundie's Shared Source presentation was a doozy!) Check out more press coverage of the 2001 event: http://www.oreillynet.com/oscon2001/ For information on the O'Reilly Bioinformatics Technology Conference (January 2002 in Tucson, AZ) and the O'Reilly Emerging Technology Conference (May 2002 in Santa Clara, CA), visit: http://conferences.oreilly.com/ Click over regularly to the O'Reilly Network's Open Source DevCenter central if you're hungry for more open source news: http://www.onlamp.com/ About O'Reilly O'Reilly & Associates is the premier information source for leading-edge computer technologies. We communicate the knowledge of experts through our books, conferences, and web sites. Our books, known for their animals on the covers, occupy a treasured place on the shelves of the developers building the next generation of software. Our conferences and summits bring innovators together to shape the revolutionary ideas that spark new industries. From the Internet to the Web, Linux, open source, peer-to-peer networking, and now bioinformatics, we put technologies on the map. For more information: http://www.oreilly.com # # # O'Reilly is a registered trademark of O'Reilly & Associates, Inc. All other trademarks are property of their respective owners. This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Sat Dec 22 1:35:57 2001 Delivered-To: freebsd-announce@freebsd.org Received: from mail.freebsdfoundation.org (usw11.freebsd.org [63.224.12.164]) by hub.freebsd.org (Postfix) with ESMTP id 56BA937B417 for ; Fri, 21 Dec 2001 14:36:28 -0800 (PST) Received: by mail.freebsdfoundation.org (Postfix, from userid 1004) id E91297A101; Fri, 21 Dec 2001 16:36:27 -0600 (CST) To: announce@freebsd.org Subject: FreeBSD Foundation Announces Java License for FreeBSD Message-Id: <20011221223627.E91297A101@mail.freebsdfoundation.org> Date: Fri, 21 Dec 2001 16:36:27 -0600 (CST) From: bod@freebsdfoundation.org (The FreeBSD Foundation) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The FreeBSD Foundation is pleased to announce that it has secured a license from Sun Microsystems to distribute a native FreeBSD version of both the Java Development Kit (JDK) and the Java Runtime Environment (JRE). Thanks to the great efforts of the FreeBSD Java team, these should be available for inclusion with the upcoming release of FreeBSD 4.5 in January, 2002. The general availability of a distributable version of Java will benefit end users, commercial users, and developers who use FreeBSD. Java continues to grow in popularity and has become heavily used in server side web applications, one of FreeBSD's core areas of strength. With an officially licensed binary Java distribution, FreeBSD becomes an ideal platform for execution, development, and deployment of Java based solutions. This agreement would not have been possible without the efforts of Nate Williams. Nate not only started the FreeBSD Java porting effort, but also brought Sun Microsystems and the Foundation together to negotiate a license. The FreeBSD Foundation, a 501(c)3 non-profit Colorado corporation, is dedicated to supporting the FreeBSD Project. In addition to sponsoring the development and promotion of FreeBSD, as a recognized legal entity, the Foundation can enter into legal contracts and hold intellectual property in trust for the Project. The Foundation hopes that today's license agreement announcement is only the first of many occasions where the Foundation's legal status allows FreeBSD to grow in ways that would not otherwise be possible. The FreeBSD Foundation relies solely on contributions from individuals and businesses to fund its activities. In negotiating the JDK/JRE license, where both parties were in almost immediate agreement to the license terms, the Foundation still spent in excess of $3000 on legal fees. Highly qualified and experienced legal counsel is the expensive yet necessary cost of protecting the best interests of the FreeBSD Project. This particular activity was funded solely by contributions from the FreeBSD Foundation's board of directors. The Foundation will only be able to continue its work with further contributions from the general public. Donations to the Foundation are usually considered tax-deductible for those paying United States Federal income tax. Any donations postmarked by December 31st. are applicable for the 2001 tax year. Information on how to donate to the Foundation can be found at: http://www.freebsdfoundation.org The Board of Directors The FreeBSD Foundation NOTE: Sun, Sun Microsystems, Java, JDK, and JRE are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message