From owner-freebsd-announce Mon Mar 25 14:21: 9 2002 Delivered-To: freebsd-announce@freebsd.org Received: from charon.ilion.eu.org (silico.lnk.telstra.net [139.130.197.119]) by hub.freebsd.org (Postfix) with ESMTP id 3DF7C37B417 for ; Mon, 25 Mar 2002 08:23:34 -0800 (PST) Received: from localhost (mycenae [203.35.206.129]) by charon.ilion.eu.org (8.9.2/8.9.3) with ESMTP id DAA87776 for ; Tue, 26 Mar 2002 03:23:31 +1100 (EST) (envelope-from pat@siliconbreeze.com) Date: Tue, 26 Mar 2002 03:30:25 +1100 (EST) Message-Id: <20020326.033025.64082884.pat@jantar.org> To: freebsd-announce@freebsd.org Subject: BSD Daemon Statuette and the FreeBSD Fund-Raising Project From: Patryk Zadarnowski X-Mailer: Mew version 2.1 on Emacs 20.7 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am pleased to announce the first birthday of the BSD Daemon Statuette and the official launch of our FreeBSD Fund-Raising Project. In March 2001 Silicon Breeze has teamed up with Eliza Design Studio and released the first ever sculpted metal rendering of the BSD Daemon. You can see the results at the Linux Jewellery Store (http://www.linuxjewellery.com/beastie/) Of course, every birthday calls for a party, so we're having one on our web site, and everyone's invited. Our party is a grand giveaway: while it lasts, we are giving a FREE sculpted "BSD inside" computer case badge to anyone and everyone who asks. No purchase is required - just visit our web site and say that you want one. Every celebrant deserves a birthday present, so we're giving every Beastie leaving us during the party a friend - a free PicoBSD baby daemon statuette. If you'd like to visit the Beastie, wish him a happy birthday, maybe grab one for yourself, and walk away with his birthday gift, please go to: http://www.linuxjewellery.com/beastie/ We think that the birthday is the perfect occasion to officially announce our FreeBSD Fund-Raising Project. Effective from March 2002, Silicon Breeze has decided to donate 15% of the retail price of every BSD-related product from the Linux Jewellery Store to FreeBSD, so, every time you buy one of our BSD Daemon statuettes, BSD key-rings, pins or badges, you know that 15% of the price you pay goes towards developing FreeBSD! The funds will be donated to FreeBSD in the form of cash bounties posted for code needed in the kernel and/or cash donations to the FreeBSD Foundation. To read more, and find out how you can help, please visit: http://www.siliconbreeze.com/freebsd/ -- Patryk Zadarnowski Silicon Breeze Pty Limited www.siliconbreeze.com This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Mar 26 11:36:53 2002 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id ED5C737B41A; Tue, 26 Mar 2002 11:36:37 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2QJabt50188; Tue, 26 Mar 2002 11:36:37 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 26 Mar 2002 11:36:37 -0800 (PST) Message-Id: <200203261936.g2QJabt50188@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:19.squid Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:19 Security Advisory FreeBSD, Inc. Topic: squid heap buffer overflow in DNS handling Category: ports Module: squid24 Announced: 2002-03-26 Credits: zen-parse Affects: squid port prior to version 2.4_9 Corrected: 2002-03-22 00:19:55 UTC FreeBSD only: NO I. Background The Squid Internet Object Cache is a web proxy/cache. II. Problem Description Incorrect handling of compressed DNS responses could result in a heap buffer overflow. The squid port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains thousands of third- party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.5 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact A malicious DNS server (or an attacker spoofing a DNS server) could respond to DNS requests from squid with a specially crafted answer that would trigger the heap buffer overflow bug. This could crash the squid process. This bug is not known to be exploitable. IV. Workaround 1) Deinstall the squid port/package if you have it installed. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/ [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. 3) Download a new port skeleton for the squid port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/www/squid24/Makefile 1.89 ports/www/squid24/distinfo 1.64 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPKDNPVUuHi5z0oilAQGQJQP+KfkRVCuIlwzQazMv7K6+KAIAwBkm2EdZ lVA2MCnzfxtWW23ZGIRnE6gW2gzzT4C3Ccrkg4llriVCIj4rdQ08UOSqF9JAZBWV 2RfYdTMUSeHEgYbkn0od9xeGc8zW3VltCH/I3ky/StWmMZv5eH9j6mPBddEeQG/y Nuz/Ms0oJrI= =m4VV -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Wed Mar 27 14:34:25 2002 Delivered-To: freebsd-announce@freebsd.org Received: from cfcl.com (cpe-24-221-169-54.ca.sprintbbd.net [24.221.169.54]) by hub.freebsd.org (Postfix) with ESMTP id D818C37B405 for ; Wed, 27 Mar 2002 09:59:29 -0800 (PST) Received: from [192.168.254.205] (cerberus [192.168.254.205]) by cfcl.com (8.11.1/8.11.1) with ESMTP id g2RI29U95135 for ; Wed, 27 Mar 2002 10:02:10 -0800 (PST) (envelope-from rdm@cfcl.com) Mime-Version: 1.0 Message-Id: Date: Wed, 27 Mar 2002 09:59:24 -0800 To: freebsd-announce@FreeBSD.ORG From: Rich Morin Subject: DOSSIER: new volumes Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm pleased to report that there are now 14 DOSSIER volumes, most of which are based (at least partially) on FreeBSD documentation: C, etc.: Essential Tools (1) Email: Exim 3 Mail and Sendmail (1) File Systems: FreeBSD (2) RedHat Kernel: FreeBSD (2) PostgreSQL: Programming and Development Reference Manual Use and Administration Python: Library Reference Miscellanea Security: Local System (1) Remote Access (1) Text Processing: Essential Tools (1) (1) partially based on FreeBSD documentation (2) entirely based on FreeBSD documentation For details, see: http://www.ptf.com/dossier http://www.ptf.com/dossier/sets/Free.shtml -r -- email: rdm@cfcl.com; phone: +1 650-873-7841 http://www.cfcl.com/rdm - my home page, resume, etc. http://www.cfcl.com/Meta - The FreeBSD Browser, Meta Project, etc. http://www.ptf.com/dossier - Prime Time Freeware's DOSSIER series http://www.ptf.com/tdc - Prime Time Freeware's Darwin Collection This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message