From owner-freebsd-announce Tue May 28 10:58:33 2002 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 1ED6B37B401; Tue, 28 May 2002 10:58:17 -0700 (PDT) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g4SHwHR75675; Tue, 28 May 2002 10:58:17 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Tue, 28 May 2002 10:58:17 -0700 (PDT) Message-Id: <200205281758.g4SHwHR75675@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Notice FreeBSD-SN-02:03 Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SN-02:03 Security Notice The FreeBSD Project Topic: security issues in ports Announced: 2002-05-28 I. Introduction Several ports in the FreeBSD Ports Collection are affected by security issues. These are listed below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. The listed vulnerabilities are not specific to FreeBSD unless otherwise noted. These ports are not installed by default, nor are they ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: amanda Affected: versions <= amanda-2.3.0.4 Status: Port removed Obsolete versions of Amanda contain multiple buffer overflows. +------------------------------------------------------------------------+ Port name: fetchmail Affected: versions < fetchmail-5.9.11 Status: Fixed +------------------------------------------------------------------------+ Port name: gaim Affected: versions < gaim-0.58 Status: Fixed World-readable temp files allow access to gaim users' hotmail accounts. +------------------------------------------------------------------------+ Port name: gnokii Affected: versions < gnokii-0.4.0.p20,1 Status: Fixed Write access to any file in the filesystem. +------------------------------------------------------------------------+ Port name: horde Affected: versions < horde-1.2.8 Status: Fixed Cross-site scripting attacks. +------------------------------------------------------------------------+ Port name: imap-uw Affected: all versions Status: Not fixed Only when compiled with RFC 1730 support (make -DWITH_RFC1730): Remote buffer overflow yielding non-privileged shell access. +------------------------------------------------------------------------+ Port name: imp Affected: versions < imp-2.2.8 Status: Fixed Cross-site scripting attacks. +------------------------------------------------------------------------+ Port name: linux-netscape6 Affected: versions < 6.2.3 Status: Fixed XMLHttpRequest allows reading of local files. +------------------------------------------------------------------------+ Port name: mnogosearch Affected: versions < mnogosearch-3.1.19_2 Status: Fixed Long query can be abused to execute code with webserver privileges. +------------------------------------------------------------------------+ Port name: mpg321 Affected: versions < mpg321-0.2.9 Status: Fixed Buffer overflow may allow remote attackers to execute arbitrary code via streaming data. +------------------------------------------------------------------------+ Port name: ssh2 Affected: all versions Status: Not fixed Password authentication may be used even if password authentication is disabled. +------------------------------------------------------------------------+ Port name: tinyproxy Affected: versions < tinyproxy-1.5.0 Status: Fixed Invalid query could allow execution of arbitrary code. +------------------------------------------------------------------------+ Port name: webmin Affected: versions < webmin-0.970 Status: Fixed Remote attacker can login to Webmin as any user. +------------------------------------------------------------------------+ III. Upgrading Ports/Packages To upgrade a fixed port/package, perform one of the following: 1) Upgrade your Ports Collection and rebuild and reinstall the port. Several tools are available in the Ports Collection to make this easier. See: /usr/ports/devel/portcheckout /usr/ports/misc/porteasy /usr/ports/sysutils/portupgrade 2) Deinstall the old package and install a new package obtained from [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ Packages are not automatically generated for other architectures at this time. +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPPPEdFUuHi5z0oilAQFW8wP8CXG3dQyI5VPLp0m6frS4BtNtlkjOpq87 R/8FrDizVNGQ88+NzdPPPYWh8joAPGJZSXrWrSWKSge2dqEDK4CTpJ5BFzpQsxUZ kexaZ43DRxrUMQN1AWDyarE+/y8uCk3BnJTWhNLOf2HeOYNekOn/BHQ53ucpoaKs QQEX171+Jnk= =Z1i5 -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Wed May 29 9:37: 5 2002 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2389637B403; Wed, 29 May 2002 09:36:31 -0700 (PDT) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g4TGaVO40759; Wed, 29 May 2002 09:36:31 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Wed, 29 May 2002 09:36:31 -0700 (PDT) Message-Id: <200205291636.g4TGaVO40759@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:26.accept Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:26.accept Security Advisory The FreeBSD Project Topic: Remote denial-of-service when using accept filters Category: core Module: kernel Announced: 2002-05-29 Credits: Mike Silbersack Affects: FreeBSD 4.5-RELEASE FreeBSD 4-STABLE after 2001-11-22 and prior to the correction date Corrected: 2002-05-21 18:03:16 UTC (RELENG_4) 2002-05-28 18:27:55 UTC (RELENG_4_5) FreeBSD only: YES I. Background FreeBSD features an accept_filter(9) mechanism which allows an application to request that the kernel pre-process incoming connections. For example, the accf_http(9) accept filter prevents accept(2) from returning until a full HTTP request has been buffered. No accept filters are enabled by default. A system administrator must either compile the FreeBSD kernel with a particular accept filter option (such as ACCEPT_FILTER_HTTP) or load the filter using kldload(8) in order to utilize accept filters. II. Problem Description In the process of adding a syncache to FreeBSD, mechanisms to remove entries from the incomplete listen queue were removed, as only sockets undergoing accept filtering now use the incomplete queue. III. Impact By simply connecting to a socket using accept filtering and holding a few hundred sockets open (~190 with the default backlog value), one may deny access to a service. In addition to malicious users, this affect has also been reported to be caused by worms such as Code Red which generate URLs that do not meet the http accept filter's criteria. Systems are not affected by this bug unless they have enabled accept filters in the kernel and are utilizing an application configured to take advantage of this feature. Apache (versions 1.3.14 and later) is the only application known to utilize accept filters by default. IV. Workaround Do not use accept filters. If you have enabled the ACCEPT_FILTER_DATA or ACCEPT_FILTER_HTTP options in your kernel, remove these options and recompile your kernel as described in and reboot the system. If you have loaded one of the kernel accept filters by using kldload(8), then you must modify your startup scripts not to load these modules and reboot your system. You may list loaded kernel modules by using kldstat(8). If loaded, the HTTP accept filter will be listed as `accf_http.ko', and the Data accept filter will be listed as `accf_data.ko'. For affected versions of Apache, accept filters may be disabled either by adding the directive ``AcceptFilter off'' to your configuration file, or via a compile-time option, depending upon the version. Please see the Apache documentation for details. V. Solution 1) Upgrade your vulnerable system to 4.5-STABLE; or to the RELENG_4_5 (4.5-RELEASE-p6) security branch dated after the respective correction dates. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.5-RELEASE and 4.5-STABLE systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:26/accept.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:26/accept.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/sys/kern/uipc_socket.c RELENG_4 1.68.2.21 RELENG_4_5 1.68.2.17.2.1 src/sys/kern/uipc_socket2.c RELENG_4 1.55.2.15 RELENG_4_5 1.55.2.10.2.1 src/sys/conf/newvers.sh RELENG_4_5 1.44.2.20.2.7 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPPUCC1UuHi5z0oilAQFApAP6ApvgOydr72UHKHXiRZnGxiwBhpyVE+mH 5xdDP45s0GaUChA7GLbpv0hLL5syNPMavo7ygRuqD6pHFA0xpVn3hUXtLh09dhwS YTDWrC2VL9QJmFWIxMNzo0OXD1uDBrlGEk3Ew0jWT2ewe46QW1czpPYCeGg4Bx+i +FzEQ9V4D8k= =W+BP -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Wed May 29 9:39:58 2002 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BDC0237B40A; Wed, 29 May 2002 09:36:35 -0700 (PDT) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g4TGaZV40792; Wed, 29 May 2002 09:36:35 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Wed, 29 May 2002 09:36:35 -0700 (PDT) Message-Id: <200205291636.g4TGaZV40792@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:27.rc Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:27.rc Security Advisory The FreeBSD Project Topic: rc uses file globbing dangerously Category: core Module: rc Announced: XXXX-XX-XX Credits: lumpy Affects: FreeBSD 4.4-RELEASE FreeBSD 4.5-RELEASE FreeBSD 4-STABLE prior to the correction date Corrected: 2002-05-09 17:39:01 UTC (RELENG_4) 2002-05-09 17:40:27 UTC (RELENG_4_5) 2002-05-09 17:41:05 UTC (RELENG_4_4) FreeBSD only: YES I. Background rc is the system startup script (/etc/rc). It is run when the FreeBSD is booted multi-user, and performs a multitude of tasks to bring the system up. One of these tasks is to remove lock files left by X Windows, as their existence could prevent one from restarting the X Windows server. II. Problem Description When removing X Windows lock files, rc uses the rm(1) command and shell globbing: rm -f /tmp/.X*-lock /tmp/.X11-unix/* Since /tmp is a world-writable directory, a user may create /tmp/.X11-unix as a symbolic link to an arbitrary directory. The next time that rc is run (i.e. the next time the system is booted), rc will then remove all of the files in that directory. III. Impact Users may remove the contents of arbitrary directories if the /tmp/.X11-unix directory does not already exist and the system can be enticed to reboot (or the user can wait until the next system maintenance window). IV. Workaround Find and remove or comment-out the following line in /etc/rc: rm -f /tmp/.X*-lock /tmp/.X11-unix/* The following command executed as root will do this: /bin/sh -c 'echo -e "/.X11-unix/s/^/#/\nw\nq\n" | /bin/ed -s /etc/rc' V. Solution 1) Upgrade your vulnerable system to 4.5-STABLE; or to either of the RELENG_4_5 (4.5-RELEASE-p6) or RELENG_4_4 (4.4-RELEASE-p13) security branches dated after the respective correction dates. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:27/rc.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:27/rc.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Install the new rc script: # cd /usr/src/etc # install -c -o root -g wheel -m 644 rc /etc/rc VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/etc/rc RELENG_4 1.212.2.50 RELENG_4_5 1.212.2.38.2.1 RELENG_4_4 1.212.2.34.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPPUCJFUuHi5z0oilAQFP6AQArXkMZig8qYFpb38y1oN5BsnqEHFzasTi pS8emo40Mx9ki4DPRiiLSfzukymVXkjVIcDjKju7qNAxugN4TbZG2AcqZITav0gF i+vdhUnNf5v2Lp8LwwxtsfNIj2aoikXTTwW9fjJFOmQpDOObNYaSg0bMI+13kcIq 4mTmQs507aI= =nn/w -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message