From owner-freebsd-announce  Fri Apr  5  7: 9: 5 2002
Delivered-To: freebsd-announce@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 899EE37B416; Fri,  5 Apr 2002 07:08:57 -0800 (PST)
Received: (from nectar@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g35F8vi10916;
	Fri, 5 Apr 2002 07:08:57 -0800 (PST)
	(envelope-from security-advisories@freebsd.org)
Date: Fri, 5 Apr 2002 07:08:57 -0800 (PST)
Message-Id: <200204051508.g35F8vi10916@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: NEW: FreeBSD Security Notices
Reply-To: security-advisories@freebsd.org
Sender: owner-freebsd-announce@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-announce.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-announce>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-announce>
X-Loop: FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----

Hello,

Historically, FreeBSD Security Advisories have been used to report
security issues found in the base system, and high-risk issues related
to third-party applications available in the Ports Collection.

The FreeBSD Security Officer Team will now be issuing Security Notices
in addition to Security Advisories.  While Security Advisories will
continue to be the team's focus, the Security Notices will provide a
channel for communicating issues that have been previously publicized.
In particular, problems reported with applications in the Ports
Collection that are not FreeBSD-specific are likely to be reported in
a Security Notice.  FreeBSD makes no claim about the security of these
third-party applications.

We expect that this will allow the FreeBSD Security Officer Team to
cover more issues --- especially in third-party software --- in a more
timely fashion, while reserving full Security Advisories for problems
in FreeBSD itself or that only affect FreeBSD.

Cheers,
The FreeBSD Security Officer Team.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPK23iVUuHi5z0oilAQEP6gP/dSC4dTT6I9ggl2DaxKI89+44av6e3vrZ
VHDT1TNTHPGTrAwYj6vtpMBIu6Pd08GuYTxyT355Tg1fZAwvvHCPWQYW9BaevFTB
cTXDrMZSOIF9TEBuxZVB3DE7ef3DnWyBqb6hB3+jYz8Kqwyl2vZY0+KZw0AibjEH
PwLWGjvnopk=
=wss2
-----END PGP SIGNATURE-----

This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at http://www.freebsd.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-announce" in the body of the message


From owner-freebsd-announce  Fri Apr  5  7:28:40 2002
Delivered-To: freebsd-announce@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 220BA37BB96; Fri,  5 Apr 2002 07:26:36 -0800 (PST)
Received: (from nectar@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g35FCOr11637;
	Fri, 5 Apr 2002 07:12:24 -0800 (PST)
	(envelope-from security-advisories@freebsd.org)
Date: Fri, 5 Apr 2002 07:12:24 -0800 (PST)
Message-Id: <200204051512.g35FCOr11637@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f
From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
To: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
Subject: FreeBSD Security Notice FreeBSD-SN-02:01
Reply-To: security-advisories@FreeBSD.org
Sender: owner-freebsd-announce@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-announce.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-announce>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-announce>
X-Loop: FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SN-02:01                                              Security Notice
                                                                FreeBSD, Inc.

Topic:          security issues in ports
Announced:      2002-03-30

I.   Introduction

Several ports in the FreeBSD Ports Collection are affected by security
issues.  These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.

These ports are not installed by default, nor are they ``part of
FreeBSD'' as such.  The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format.  FreeBSD makes
no claim about the security of these third-party applications.  See
<URL:http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.

II.  Ports

+------------------------------------------------------------------------+
Port name:      acroread, acroread-chsfont, acroread-chtfont,
                  acroread-commfont, acroread4, linux-mozilla,
                  linux-netscape6, linux_base, linux_base-7
Affected:       versions < linux_base-6.1_1 (linux_base port)
                versions < linux_base-7.1_2 (linux_base-7 port)
                versions < linux_mozilla-0.9.9_1
                all versions of all acroread ports
                all versions of linux-netscape6
Status:         Fixed: linux_base, linux_base-7, linux-mozilla.
                Not fixed: acroread, acroread-chsfont, acroread-chtfont,
                  acroread-commfont, acroread4, linux-netscape6.
These Linux binaries utilize versions of zlib which may contain an
exploitable double-free bug.
<URL:http://www.redhat.com/support/errata/RHSA-2002-026.html>
<URL:http://www.mozilla.org/releases/mozilla0.9.9/>
<URL:http://www.redhat.com/support/errata/RHSA-2002-027.html>
<URL:http://www.gzip.org/zlib/advisory-2002-03-11.txt>
<URL:http://online.securityfocus.com/archive/1/261205>
<URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:18.zlib.asc>
+------------------------------------------------------------------------+
Port name:      apache13-ssl, apache13-modssl
Affected:       all versions of apache+ssl
                all versions of apache+mod_ssl
Status:         Not yet fixed.
Buffer overflows in SSL session cache handling.
<URL:http://www.apache-ssl.org/advisory-20020301.txt>
<URL:http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html>
+------------------------------------------------------------------------+
Port name:      bulk_mailer
Affected:       all versions
Status:         Not yet fixed.
Buffer overflows, temporary file race.
<URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=112007>
+------------------------------------------------------------------------+
Port name:      cups, cups-base, cups-lpr
Affected:       versions < cups-1.1.14
                versions < cups-base-1.1.14
                versions < cups-lpr-1.1.14
Status:         Fixed.
Buffer overflows in IPP code.
<URL:http://www.cups.org/news.php?V66>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0063>
+------------------------------------------------------------------------+
Port name:      fileutils
Affected:       all versions
Status:         Not yet fixed.
Race condition in directory removal.
<URL:http://online.securityfocus.com/bind/4266>
+------------------------------------------------------------------------+
Port name:      imlib
Affected:       versions < imlib-1.9.13
Status:         Fixed.
Heap corruption in image handling.
<URL:http://online.securityfocus.com/bid/4336>
+------------------------------------------------------------------------+
Port name:      listar, ecartis
Affected:       versions < ecartis-1.0.0b
                all versions of listar
Status:         Fixed: ecartis.
                Not fixed: listar.
Local and remote buffer overflows, incorrect privilege handling.
<URL:http://online.securityfocus.com/bid/4176>
<URL:http://online.securityfocus.com/bid/4277>
<URL:http://online.securityfocus.com/bid/4271>
+------------------------------------------------------------------------+
Port name:      mod_php3, mod_php4
Affected:       versions < mod_php3-3.0.18_3
                versions < mod_php4-4.1.2
Status:         Fixed.
Vulnerabilities in file upload handling.
<URL:http://security.e-matters.de/advisories/012002.html>
+------------------------------------------------------------------------+
Port name:      ntop
Affected:       all versions
Status:         Not yet fixed.
Remote format string vulnerability.
<URL:http://packetstormsecurity.nl/advisories/misc/H20020304.txt>
<URL:http://online.securityfoucs.com/bid/4225>
+------------------------------------------------------------------------+
Port name:      rsync
Affected:       versions < rsync-2.5.4
Status:         Fixed.
Incorrect group privilege handling, zlib double-free bug.
<URL:http://online.securityfocus.com/bid/4285>
<URL:http://www.rsync.org/>
+------------------------------------------------------------------------+
Port name:      xchat, xchat-devel
Affected:       all versions
Status:         Not yet fixed.
Malicious server may cause xchat to execute arbitrary commands.
<URL:http://online.securityfocus.com/archive/1/264380>
+------------------------------------------------------------------------+

III. Upgrading Ports/Packages

Do one of the following:

1) Upgrade your Ports Collection and rebuild and reinstall the port.
Several tools are available in the Ports Collection to make this
easier.  See:
  /usr/ports/devel/portcheckout
  /usr/ports/misc/porteasy
  /usr/ports/sysutils/portupgrade

2) Deinstall the old package and install a new package obtained from

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/

Packages are not automatically generated for other architectures at
this time.


+------------------------------------------------------------------------+
FreeBSD Security Notices are communications from the Security Officer
intended to inform the user community about potential security issues,
such as bugs in the third-party applications found in the Ports
Collection, which will not be addressed in a FreeBSD Security
Advisory.

Feedback on Security Notices is welcome at <security-officer@FreeBSD.org>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPK28lVUuHi5z0oilAQGUuQP/aBo4NQLKF4qiFxvy6+Z0FyMGChECbZYr
3TR2OLdPks0xuoIgbpPAstrTeFbCRe7m59zCibdbRCpUd167QAUEF72nICmcQmYa
+ZEFGUHcMxNg09LUd7MxDg1LbczBX7L1SFKFaZOCGuzPa6SrsbvPFbXO7hUu+nSI
nH5M1Y1F9rk=
=hHhx
-----END PGP SIGNATURE-----

This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at http://www.freebsd.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-announce" in the body of the message