From owner-freebsd-announce Mon Aug 14 15:48:59 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 4311837B69B; Mon, 14 Aug 2000 15:48:48 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:34.dhclient Reply-To: security-advisories@freebsd.org Message-Id: <20000814224848.4311837B69B@hub.freebsd.org> Date: Mon, 14 Aug 2000 15:48:48 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:34 Security Advisory FreeBSD, Inc. Topic: dhclient vulnerable to malicious dhcp server Category: core, ports Module: dhclient, isc-dhcp2 (ports), isc-dhcp3 (ports) Announced: 2000-08-14 Affects: All releases of FreeBSD after FreeBSD 3.2-RELEASE and prior to the correction date (including FreeBSD 4.0 and 3.5, but not 4.1) Ports collection prior to the correction date. Credits: OpenBSD Vendor status: Updated version released Corrected: 2000-07-20 [FreeBSD 4.0 base system] 2000-08-01 [isc-dhcp2 port] 2000-07-21 [isc-dhcp3 port] FreeBSD only: NO I. Background ISC-DHCP is an implementation of the DHCP protocol containing client and server. FreeBSD 3.2 and above includes the version 2 client by default in the base system, and the version 2 and version 3 clients and servers in the Ports Collection. II. Problem Description The dhclient utility (DHCP client), versions 2.0pl2 and before (for the version 2.x series), and versions 3.0b1pl16 and before (for the version 3.x series) does not correctly validate input from the server, allowing a malicious DHCP server to execute arbitrary commands as root on the client. DHCP may be enabled if your system was initially configured from a DHCP server at install-time, or if you have specifically enabled it after installation. FreeBSD 4.1 is not affected by this problem since it contains the 2.0pl3 client. III. Impact An attacker who has or gains control of a DHCP server may gain additional root access to DHCP clients running vulnerable versions of ISC-DHCP. If you are not using dhclient to configure client machines via DHCP, or your DHCP server is "trusted" according to your local security policy, then this vulnerability does not apply to you. IV. Workaround Disable the use of DHCP for configuring client machines: remove the case-insensitive string "dhcp" from the "ifconfig_" directives in /etc/rc.conf and replace it with appropriate static interface configuration according to the rc.conf(5) manpage. An example of a DHCP-enabled interface is the following line in /etc/rc.conf: ifconfig_xl0="DHCP" V. Solution NOTE: At this time the FreeBSD 3.x branch has not yet been patched, due to logistical difficulties. Users running a vulnerable 3.x system are advised to either upgrade to FreeBSD 4.1, disable the use of DHCP as described above, or use the dhclient binary from the isc-dhcp2 port dated after the correction date. 1) Upgrade your vulnerable FreeBSD 4.0 system to a version dated after the correction date. See http://www.freebsd.org/handbook/makeworld.html for instructions on how to upgrade and recompile your FreeBSD system from source, or perform a binary upgrade, e.g. to FreeBSD 4.1-RELEASE, described here: http://www.freebsd.org/releases/4.1R/notes.html 2) (If using the isc-dhcp2 or isc-dhcp3 ports) One of the following: 2a) Upgrade your entire ports collection and rebuild the isc-dhcp2 or isc-dhcp3 port. 2b) Deinstall the old package and install a new package dated after the correction date, obtained from: [isc-dhcp3] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/isc-dhcp3-3.0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/isc-dhcp3-3.0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/isc-dhcp3-3.0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/isc-dhcp3-3.0.b1.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/isc-dhcp3-3.0.b1.17.tgz NOTE: The isc-dhcp2 port is not available as a package. 2c) download a new port skeleton for the isc-dhcp2 or isc-dhcp3 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 2d) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh3J1UuHi5z0oilAQHXBQQAmCLlTUfikHbgBelFd22agjTo/AVwR933 El0AMRHakiBJAHTMseZ4Nj+HyGUgVzD3oRMgmjx1u+HUCQM2/akuXXZdSHlur5Jc OyEGxcwxyzYXnNzWAL1vh6MYrpkGDfh74bHircLdO16d6uC1d+0VFmkxUOOFN4zb g7yK3m2ZOxo= =qTwd -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Aug 14 15:50:19 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3E66637B685; Mon, 14 Aug 2000 15:50:06 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:35.proftpd Reply-To: security-advisories@freebsd.org Message-Id: <20000814225006.3E66637B685@hub.freebsd.org> Date: Mon, 14 Aug 2000 15:50:06 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:35 Security Advisory FreeBSD, Inc. Topic: proftpd port contains remote root compromise Category: ports Module: proftpd Announced: 2000-08-14 Credits: lamagra Affects: Ports collection prior to the correction date. Corrected: 2000/07/28 Vendor status: Updated version released FreeBSD only: NO I. Background proftpd is a popular FTP server. II. Problem Description The proftpd port, versions prior to 1.2.0rc2, contains a vulnerability which allows FTP users, both anonymous FTP users and those with a valid account, to execute arbitrary code as root on the local machine, by inserting string-formatting operators into command input, which are incorrectly parsed by the FTP server. This is the same class of vulnerability as the one described in FreeBSD Security Advisory 00:29, which pertained to the wu-ftpd port. The proftpd port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 contains this problem since it was discovered after the release, but FreeBSD 4.1 did not ship with the proftpd package (and the port was disabled to prevent building) because the vulnerability was known but not yet fixed. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact FTP users, including anonymous FTP users, can cause arbitrary commands to be executed as root on the local machine. If you have not chosen to install the proftpd port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the proftpd port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the proftpd port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/proftpd-1.2.0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/proftpd-1.2.0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/proftpd-1.2.0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/proftpd-1.2.0rc2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/proftpd-1.2.0rc2.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the proftpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh1u1UuHi5z0oilAQFYQQP/UH7MbeD/cm3aPGrPdb8NXUo9giAajayX uWazNh+kfJGUrpVg3DaYo7jY2ZG5yrBBo5kZRFUUSy5OpDvD20I3QBhtNV0gWItD n2mkSDP90BG4scmVuwx+GexCz5gZ+frpM2hKXlhtFqJRMA2Sk0R4vzapIvc16EFN 6nraHfzVSCk= =7ifu -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Aug 14 15:51:30 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 12D9837B6B4; Mon, 14 Aug 2000 15:51:14 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:36.ntop Reply-To: security-advisories@freebsd.org Message-Id: <20000814225114.12D9837B6B4@hub.freebsd.org> Date: Mon, 14 Aug 2000 15:51:14 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:36 Security Advisory FreeBSD, Inc. Topic: ntop port allows remote and minor local compromise Category: ports Module: ntop Announced: 2000-08-14 Credits: Discovered during internal auditing Affects: Ports collection prior to the correction date. Corrected: 2000-08-12 (However see below) Vendor status: Contacted FreeBSD only: NO I. Background ntop is a utility for monitoring and summarizing network usage, from the command-line or remotely via HTTP. II. Problem Description The ntop software is written in a very insecure style, with many potentially exploitable buffer overflows (including several demonstrated ones) which could in certain conditions allow the local or remote user to execute arbitrary code on the local system with increased privileges. By default the ntop port is installed setuid root and only executable by root and members of the 'wheel' group. The 'wheel' group is normally only populated by users who also have root access, but this is not necessarily the case (the user must know the root password to increase his or her privileges). ntop allows a member of the wheel group to obtain root privileges directly through a local exploit. If invoked in 'web' mode (ntop -w) then any remote user who can connect to the ntop server port (which is determined by local configuration) can execute arbitrary code on the server as the user running the ntop process, regardless of whether or not they can authenticate to the ntop server by providing a valid username and password. This will not necessarily yield root privileges unless ntop -w is executed as root since by the time it services network connections the program has dropped privileges, although it retains the ability to view all network traffic on the sampled network interface (instead of just the connection summaries which ntop normally presents). However, since ntop is not executable by unprivileged users, it is likely that the majority of installations using 'ntop -w' are doing so as root, in which case full system compromise is directly possible. The ntop port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 and 4.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local users who are members of the wheel group can obtain root privileges without having to pass through the normal system security mechanisms (i.e. entering the root password). If ntop is run in "web" mode (ntop -w) then remote users who can connect to the ntop server port can also execute arbitrary code on the server as the user running ntop -w (usually root). If you have not chosen to install the ntop port/package, then your system is not vulnerable to this problem. IV. Workaround 1) Remove the setuid bit from the ntop binary so that only the superuser may execute it. Depending on local policy this vulnerability may not present significant risk. 2) Avoid using ntop -w. If ntop -w is required, consider imposing access controls to limit access to the ntop server port (e.g. using a perimeter firewall, or ipfw(8) or ipf(8) on the local machine). Note that specifying a username/password access list within the ntop configuration file is insufficient, as noted above. Users who pass the access restrictions can still gain privileges as described above. V. Solution Due to the lack of attention to security in the ntop port no simple fix is possible: for example, the local root overflow can easily be fixed, but since ntop holds a privileged network socket a member of the wheel group could still obtain direct read access to all network traffic by exploiting other vulnerabilities in the program, which remains a technical security violation. The FreeBSD port has been changed to disable '-w' mode and remove the setuid bit, so that the command is only available locally to the superuser. Full functionality will be restored once the ntop developers have addressed these security concerns and provided an adequate fix - this advisory will be reissued at that time. To upgrade your ntop port/package, perform one of the following: 1) Upgrade your entire ports collection and rebuild the ntop port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ntop-1.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/ntop-1.1.tgz NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the ntop port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh1m1UuHi5z0oilAQFcIgQArlP0hzT+scsGxjI7wTWXh5fgm5E+CFh0 EfeIvYgGCzsCCCAS0nm3vo+a1IUxloJdk27K2oO4aCjTLy+gLe/vnW28gWn9dzle nIyUDFudMpsx/WpO4F4UkMPTX+w0fiWpNvY2KddjwOeBn2xhRJik9ZVTMpc7zTe6 +2DGgV9jAnM= =9UuJ -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Aug 14 15:52:58 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 093FC37B704; Mon, 14 Aug 2000 15:52:44 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:37.cvsweb Reply-To: security-advisories@freebsd.org Message-Id: <20000814225244.093FC37B704@hub.freebsd.org> Date: Mon, 14 Aug 2000 15:52:44 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:37 Security Advisory FreeBSD, Inc. Topic: cvsweb allows increased access to CVS committers Category: ports Module: cvsweb Announced: 2000-08-14 Credits: Joey Hess Affects: Ports collection prior to the correction date. Corrected: 2000-07-11 Vendor status: Patch released FreeBSD only: NO I. Background cvsweb is a CGI script which provides a read-only interface to a CVS repository for browsing via a web interface. II. Problem Description The cvsweb port, versions prior to 1.86, contains a vulnerability which allows users with commit access to a CVS repository monitored by cvsweb to execute arbitrary code as the user running the cvsweb.cgi script, which may be located on another machine where the committer has no direct access. The vulnerability is that cvsweb does not correctly process input obtained from the repository and is vulnerable to embedding of commands in committed filenames. Such an action is however usually highly visible in the CVS repository and provides an audit trail of sorts for such abuses unless the committer has access to modify the repository files directly to cover his or her tracks. This vulnerability may or may not be a security issue depending on the local security policy (for example, CVS itself is known to easily allow committers to execute commands on the CVS server even without a login account, so this presents little additional exposure if cvsweb is run on the CVS server itself). The cvsweb port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 contains this problem since it was discovered after the release, but it was fixed prior to the release of FreeBSD 4.1. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact CVS committers can execute code as the user running the cvsweb.cgi script, which may present a violation of local security policy. If you have not chosen to install the cvsweb port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the cvsweb port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the cvsweb port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/cvsweb-1.93.1.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/cvsweb-1.93.1.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/cvsweb-1.93.1.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/cvsweb-1.93.1.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/cvsweb-1.93.1.10.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the cvsweb port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh1qlUuHi5z0oilAQEAjAP7B+Kss7dLQ3upyq8HLwVMr5fhOPgW6TWK BtkZ71mBapFQleZi9vWbpd/R2Cow7i42nsZQi8d7kERiXJRW6EGXr125aIA5NopV 1NoR4BKa9KYOP0CI9jqYUWiMj5PfNy03HlLbrDzHbGOIbqMqcsERXEFNGvt0Qvb4 qkjHlQ9faRE= =VajH -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Aug 14 15:57:17 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 9899237BE28; Mon, 14 Aug 2000 15:53:25 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:38.zope Reply-To: security-advisories@freebsd.org Message-Id: <20000814225325.9899237BE28@hub.freebsd.org> Date: Mon, 14 Aug 2000 15:53:25 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:38 Security Advisory FreeBSD, Inc. Topic: zope port allows remote modification of DTML documents Category: ports Module: zope Announced: 2000-08-14 Credits: Unknown Affects: Ports collection prior to the correction date. Corrected: 2000-08-05 Vendor status: Patch released FreeBSD only: NO I. Background zope is an object-based dynamic web application platform. II. Problem Description To quote the vendor advisory about this problem: > The issue involves an inadequately protected method in one of > the base classes in the DocumentTemplate package that could allow > the contents of DTMLDocuments or DTMLMethods to be changed > remotely or through DTML code without forcing proper user > authorization. The zope port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 contains this problem, but FreeBSD 4.1 did not ship with the proftpd package (and the port was disabled to prevent building) because the vulnerability was known but not yet fixed. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can modify DTML documents without authorization. If you have not chosen to install the zope port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the zope port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the zope port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2.2.0.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the zope port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh1lFUuHi5z0oilAQFsowP+JE+R5hHUpY0pDfNl9Dd/ai354XJh8PYG X5DlmdMTMiByXkR0KMZBMB9SuRljuqBsknc8L3KB8UIyMUccnN0IhsFqZ2WEYiY4 EAgS7I5EPTf/4y6g81Vt4g+s3l2XXu845kOv92hwJxFgUMINVXrIduJpdICAgcpr rcw+4BM/Www= =AoKX -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Aug 14 16:15:12 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 6132C37BF5D; Mon, 14 Aug 2000 16:12:28 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:38.zope Reply-To: security-advisories@freebsd.org Message-Id: <20000814231228.6132C37BF5D@hub.freebsd.org> Date: Mon, 14 Aug 2000 16:12:28 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:38 Security Advisory FreeBSD, Inc. Topic: zope port allows remote modification of DTML documents Category: ports Module: zope Announced: 2000-08-14 Credits: Unknown Affects: Ports collection prior to the correction date. Corrected: 2000-08-05 Vendor status: Patch released FreeBSD only: NO I. Background zope is an object-based dynamic web application platform. II. Problem Description To quote the vendor advisory about this problem: > The issue involves an inadequately protected method in one of > the base classes in the DocumentTemplate package that could allow > the contents of DTMLDocuments or DTMLMethods to be changed > remotely or through DTML code without forcing proper user > authorization. The zope port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 contains this problem, but FreeBSD 4.1 did not ship with the proftpd package (and the port was disabled to prevent building) because the vulnerability was known but not yet fixed. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can modify DTML documents without authorization. If you have not chosen to install the zope port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the zope port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the zope port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/zope-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/zope-2.2.0.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the zope port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOZh1lFUuHi5z0oilAQFsowP+JE+R5hHUpY0pDfNl9Dd/ai354XJh8PYG X5DlmdMTMiByXkR0KMZBMB9SuRljuqBsknc8L3KB8UIyMUccnN0IhsFqZ2WEYiY4 EAgS7I5EPTf/4y6g81Vt4g+s3l2XXu845kOv92hwJxFgUMINVXrIduJpdICAgcpr rcw+4BM/Www= =AoKX -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message