From owner-freebsd-announce Mon May 13 7:28:48 2002 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 759B237B408; Mon, 13 May 2002 07:28:30 -0700 (PDT) Received: (from jedgar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g4DESU129287; Mon, 13 May 2002 07:28:30 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 13 May 2002 07:28:30 -0700 (PDT) Message-Id: <200205131428.g4DESU129287@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: jedgar set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Notice FreeBSD-SN-02:02 Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SN-02:02 Security Notice The FreeBSD Project Topic: security issues in ports Announced: 2002-05-13 I. Introduction Several ports in the FreeBSD Ports Collection are affected by security issues. These are listed below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. The listed vulnerabilities are not specific to FreeBSD unless otherwise noted. These ports are not installed by default, nor are they ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: analog Affected: versions < analog-5.22 Status: Fixed Cross-site scripting attack. +------------------------------------------------------------------------+ Port name: ascend-radius, freeradius-devel, icradius, radius-basic, radiusclient, radiusd-cistron, xtradius Affected: versions < radiusd-cistron-1.6.6 all versions of ascend-radius, freeradius-devel, icradius, radius-basic, radiusclient Status: Fixed: radiusd-cistron Not fixed: all others Digest Calculation buffer overflow and/or insufficient validation of attribute lengths. +------------------------------------------------------------------------+ Port name: dnews Affected: versions < dnews-5.5h2 Status: Fixed ``Security fault.'' +------------------------------------------------------------------------+ Port name: ethereal Affected: versions < ethereal-0.9.3 Status: Fixed SNMP vulnerability: malformed SNMP packets may cause ethereal to crash. +------------------------------------------------------------------------+ Port name: icecast Affected: versions < icecast-1.3.12 Status: Fixed Directory traversal vulnerability. Remote attackers may cause a denial of service via a URL that ends in . (dot), / (forward slash), or \ (backward slash). Buffer overflows may allow remote attackers to execute arbitrary code or cause a denial of service. +------------------------------------------------------------------------+ Port name: isc-dhcp3 Affected: versions < dhcp-3.0.1.r8_1 Status: Fixed Format string vulnerability when logging DNS-update request transactions. +------------------------------------------------------------------------+ Port name: jdk, jdk12-beta Affected: all versions Status: Not fixed ``A vulnerability in the Java(TM) Runtime Environment may allow an untrusted applet to monitor requests to and responses from an HTTP proxy server when a persistent connection is used between a client and an HTTP proxy server.'' (Bulletin 216) +------------------------------------------------------------------------+ Port name: linux-mozilla, mozilla Affected: versions < linux-mozilla-0.9.9.2002050810 versions < mozilla-1.0.rc1_3,1 Status: Fixed Buffer overflow in Chatzilla. XMLHttpRequest allows reading of local files. +------------------------------------------------------------------------+ Port name: mod_python Affected: versions < mod_python-2.7.8 Status: Fixed A publisher may access an indirectly imported module allowing a remote attacker to call functions from that module. +------------------------------------------------------------------------+ Port name: ntop Affected: all versions Status: Not fixed ``Preauthentication Remote Root Hole in NTOP'' +------------------------------------------------------------------------+ Port name: p5-SOAP-Lite Affected: versions < p5-SOAP-Lite-0.55 Status: Fixed Client may call any procedure on server. +------------------------------------------------------------------------+ Port name: puf Affected: versions < puf-0.93.1 Status: Fixed Format string vulnerability in error output. +------------------------------------------------------------------------+ Port name: sudo Affected: versions < sudo-1.6.6 Status: Fixed Heap overflow may allow local users to gain root access. +------------------------------------------------------------------------+ Port name: webalizer Affected: versions < webalizer-2.1.10 Status: Fixed Buffer overflow in the DNS resolver code. +------------------------------------------------------------------------+ Port name: xpilot Affected: versions < xpilot-4.5.2 Status: Fixed Stack buffer overflow in server. +------------------------------------------------------------------------+ III. Upgrading Ports/Packages To upgrade a fixed port/packages, perform one of the following: 1) Upgrade your Ports Collection and rebuild and reinstall the port. Several tools are available in the Ports Collection to make this easier. See: /usr/ports/devel/portcheckout /usr/ports/misc/porteasy /usr/ports/sysutils/portupgrade 2) Deinstall the old package and install a new package obtained from [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ Packages are not automatically generated for other architectures at this time. +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBPN/CwlUuHi5z0oilAQERywP/dSqt97FPlLlDJE7tYpA5625FSjqbrWod KsoKIBHM2ZIHAjnhAyF82tUT4ivMvJwepk1NE+W9YX77K7n5LHkfqY4kzCaVZJrY gkaR63Dw+M5gqJ5FjO0RkSDxsltsKjSa6ZzKxWdAeRwDPbE7CwsjTI2AoS/kzaLw ex+PhdbYjbc= =fK1t -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Wed May 15 10:38:54 2002 Delivered-To: freebsd-announce@freebsd.org Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id E4A9F37B406 for ; Wed, 15 May 2002 06:44:57 -0700 (PDT) Received: from storm.FreeBSD.org.uk (uucp@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.2/8.12.2) with ESMTP id g4FDiv4w089232 for ; Wed, 15 May 2002 14:44:57 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Received: (from uucp@localhost) by storm.FreeBSD.org.uk (8.12.2/8.12.2/Submit) with UUCP id g4FDiv6C089231 for announce@freebsd.org; Wed, 15 May 2002 14:44:57 +0100 (BST) Received: from grimreaper.grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.3/8.12.3) with ESMTP id g4FDhrj1069364 for ; Wed, 15 May 2002 14:43:53 +0100 (BST) (envelope-from mark@grimreaper.grondar.org) Message-Id: <200205151343.g4FDhrj1069364@grimreaper.grondar.org> To: announce@freebsd.org Subject: Perl5 is leaving the base system for 5.0 and after! Date: Wed, 15 May 2002 14:43:52 +0100 From: Mark Murray Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello folks! It has been decided after some debate to remove Perl5 from the "Base FreeBSD" sources. This decision was not taken lightly, and was taken in consultation with (but not seeking the approval of) the perl5 developer community. There are 2 main reasons for this: 1) Perl5 is getting larger very fast, and FreeBSD cannot afford the time and space to build and maintain it. 2) Upgrading the "base perl" is a nightmare that regularly breaks upgrades and cross-builds, to the intense annoyance of the FreeBSD developer community. Speaking as the "Perl5 guy", keeping FreeBSD's "base perl" up to date was hellish, and folks who wish a return to that state should please consider doing this work in my place. BEWARE! This job is not trivial! PERL IS NOT BEING OSTRACISED! FreeBSD is not taking this action because of any dispute between the FreeBSD community and the Perl community - such a dispute DOES NOT EXIST! In fact, the Perl community have been exemplary in their attempts to understand the problem, and in their proposals to deal with it. FreeBSD DOES NOT HATE PERL! Some time in the future, perl may be split in half, such that the core language and the standard libraries may be separately installed. In such a case, FreeBSD might be in a position to better deal with the problem of the very large perl libraries. Such splitting will be done by the perl community, NOT by us, although we will be taking note. In the meanwhile, the Perl5 Port will continue to be available, and continued discussion indicates that there is very substantial support for it to be installed by default (or near-default) by sysinstall. This will result in a FreeBSD that has effectively the same Perl5 that is kept up-to-date in ports, rather than the one that is left to rot in STABLE. This update will _NOT_ be MFCed. The first FreeBSD that has no perl in the default sources will be 5.0-RELEASE, when that is released at the end of this year. FreeBSD-4.n will continue with the perl that it currently has. The ports system will continue to support Perl5. M -- o Mark Murray \_ O.\_ Warning: this .sig is umop ap!sdn This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message