From owner-freebsd-security-notifications  Thu Oct 10  6: 3:20 2002
Delivered-To: freebsd-security-notifications@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id B06B637B406; Thu, 10 Oct 2002 06:03:18 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id E0C7C43EA9; Thu, 10 Oct 2002 06:03:17 -0700 (PDT)
	(envelope-from security-advisories@freebsd.org)
Received: from freefall.freebsd.org (jedgar@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g9AD3HCo040110;
	Thu, 10 Oct 2002 06:03:17 -0700 (PDT)
	(envelope-from security-advisories@freebsd.org)
Received: (from jedgar@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g9AD3Hvg040108;
	Thu, 10 Oct 2002 06:03:17 -0700 (PDT)
Date: Thu, 10 Oct 2002 06:03:17 -0700 (PDT)
Message-Id: <200210101303.g9AD3Hvg040108@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: jedgar set sender to security-advisories@freebsd.org using -f
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Notice FreeBSD-SN-02:06
Sender: owner-freebsd-security-notifications@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security-notifications.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security-notifications>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security-notifications>
Reply-To: postmaster@freebsd.org
X-Loop: FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SN-02:06                                              Security Notice
                                                          The FreeBSD Project

Topic:          security issues in ports
Announced:      2002-10-10

I.   Introduction

Several ports in the FreeBSD Ports Collection are affected by security
issues.  These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
The listed vulnerabilities are not specific to FreeBSD unless
otherwise noted.

These ports are not installed by default, nor are they ``part of
FreeBSD'' as such.  The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format.  FreeBSD makes
no claim about the security of these third-party applications.  See
<URL:http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.

II.  Ports

+------------------------------------------------------------------------+
Port name:      apache13, apache13+ipv6, apache13-fp, apache13-modssl and
                apache13-ssl 
Status:         Fixed (apache13, apache13+ipv6, apache13-fp and apache13-modssl)
                Not fixed (apache13-ssl)
Affected:       versions < apache+ipv6-1.3.27 
                versions < apache+mod_ssl-1.3.27+2.8.11
                versions < apache-1.3.27
                versions < apache_fp-1.3.27
                versions < ru-apache-1.3.27.30.16 
Attackers can cause httpd to spawn new processes, or can kill other
processes, resulting in denial of service.
<URL:http://www.apache.org/dist/httpd/Announcement.html>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839>
+------------------------------------------------------------------------+
Port name:      gaim
Affected:       versions < gaim-0.59.1
Status:         Fixed
The URL handler in the manual browser option for Gaim before 0.59.1
fails to escape shell metacharacters in links.
<URL:http://gaim.sourceforge.net/ChangeLog>
+------------------------------------------------------------------------+
Port name:      gallery
Affected:       versions < gallery-1.3.1
Status:         Fixed
Remotely exploitable.
<URL:http://www.freebsd.org/cgi/query-pr.cgi?pr=41465>
<URL:http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/gallery/gallery/errors/configmode.php>
<URL:http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/gallery/gallery/captionator.php>
+------------------------------------------------------------------------+
Port name:      gtar 
Affected:       versions < gtar-1.13.25_5
Status:         Fixed
Directory traversal bug allows files to be overwritten unexpectedly
when an archive is extracted.
<URL:http://www.security.nnov.ru/advisories/archdt.asp>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0399>
+------------------------------------------------------------------------+
Port name:      hylafax
Affected:       versions < hylafax-4.1.3
Status:         Fixed
Format string vulnerability and buffer overflow resulting in potential
denial of service attack, arbitrary code execution as root, and elevation
of privilege.
<URL:http://www.hylafax.org/4.1.3.html>
+------------------------------------------------------------------------+
Port name:      linux_base-6
Affected:       versions < linux_base-6.1_2
Status:         Fixed
multiple vulnerabilities in Xlib
<URL:http://rhn.redhat.com/errata/RHSA-2001-071.html>
+------------------------------------------------------------------------+
Port name:      linux_base and linux_base-6
Affected:       versions < linux_base-7.1_1 (linux_base)
                versions < linux_base-6.1_2 (linux_base-6)
Status:         Fixed
XDR RPC and resolver buffer overflows in glibc
<URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A28.resolv.asc>
<URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A34.rpc.asc>
<URL:http://rhn.redhat.com/errata/RHSA-2002-139.html>
<URL:http://rhn.redhat.com/errata/RHSA-2002-166.html>
+------------------------------------------------------------------------+
Port name:      linux-flashplugin
Affected:       versions < linux-flashplugin-5.0r50
Status:         Fixed
A buffer overflow allowed execution of arbitrary code.  Another bug
allowed the contents of users' files to be sent to a malicious Web
server.
<URL:http://www.macromedia.com/v1/handlers/index.cfm?ID=23294&Method=Full&Title=MPSB02%2D10%20%2D%20Macromedia%20Flash%20URL%20Modification%20Issue>
<URL:http://www.macromedia.com/v1/handlers/index.cfm?ID=23293&Method=Full&Title=MPSB02%2D09%20%2D%20Macromedia%20Flash%20Malformed%20Header%20Vulnerability%20Issue>
+------------------------------------------------------------------------+
Port name:      mozilla, mozilla-devel
Affected:       versions < mozilla-1.0.1_1,2 (mozilla)
                versions < linux-mozilla-1.0_1 (mozilla-devel)
Status:         Not fixed
An overflow exists in the Chatzilla IRC client.  It can cause Mozilla
to crash even if the demonstration page does not cause the crash.
According to Robert Ginda, the bug does not allow execution of
malicious code.  Chatzilla had been disabled in the affected ports,
but it was inadvertently enabled again.  The presence of Chatzilla
is indicated by an icon in the status bar, by an item in the Window
menu, and by the existence of the chatzilla.jar file.  As a workaround,
remove chatzilla.jar.
<URL:http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html>
<URL:http://bugzilla.mozilla.org/show_bug.cgi?id=163588>
<URL:http://bugzilla.mozilla.org/show_bug.cgi?id=94448>
+------------------------------------------------------------------------+
Port name:      opera
Affected:       versions < opera-6.03.20020813
Status:         Fixed
Buffer overflows in OpenSSL may allow execution of arbitrary code.
<URL:http://www.opera.com/pressreleases/en/2002/08/20020816.html>
<URL:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A33.openssl.asc>
+------------------------------------------------------------------------+
Port name:      php
Affected:       versions mod_php4-4.0.5 to mod_php4-4.2.2
                versions >= php4-4.0.5 to php4-4.2.2
Status:         Fixed
possible execution of arbitrary code via mail() function
<URL:http://online.securityfocus.com/archive/1/194425>
<URL:http://online.securityfocus.com/archive/1/288804>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1246>
<URL:http://www.php.net/ChangeLog-4.php>
+------------------------------------------------------------------------+
Port name:      pkzip
Affected:       all versions
Status:         Not Fixed
If the -rec option is used when extracting an archive, files with
"/" as the first character in the path, or with "../" may be
extracted.
<URL:http://www.security.nnov.ru/advisories/archdt.asp>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1270>
+------------------------------------------------------------------------+
Port name:      qmailadmin
Affected:       versions < qmailadmin-1.0.6
Status:         Fixed
Installs setuid with exploitable buffer overflow leading to
privileges of `vpopmail' user.
<URL:http://security-archive.merton.ox.ac.uk/bugtraq-200208/0117.html>
+------------------------------------------------------------------------+
Port name:      unzip
Affected:       versions < unzip-5.50
Status:         Fixed
Files with "/" as the first character in the path, or with "../"
in the path may be extracted from an archive.
<URL:http://www.security.nnov.ru/advisories/archdt.asp>
<URL:http://www.info-zip.org/UnZip.html>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1268>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1269>
<URL:http://online.securityfocus.com/archive/1/196445>
<URL:http://cert.uni-stuttgart.de/archive/bugtraq/2001/07/msg00206.html>
+------------------------------------------------------------------------+
Port name:      webmin
Affected:       versions < webmin-1.020
Status:         Fixed
A prepackaged SSL key was identical for every installation, allowing
sessions to be hijacked.
<URL:http://www.webmin.com/changes.html>
+------------------------------------------------------------------------+
Port name:      XFree86-4, XFree86-4-Server, XFree86-4-NestServer,
                XFree86-4-VirtualFramebufferServer, XFree86-4-libraries,
                XFree86-4-clients
Affected:       versions < XFree86-Server-4.2.1_1
                versions < XFree86-libraries-4.2.1_1
                versions < XFree86-clients-4.2.1_1
                versions < XFree86-NestServer-4.2.1
                versions < XFree86-VirtualFramebufferServer-4.2.1
Status:         Fixed
Arbitrary code execution in privileged clients; overwriting restricted
shared memory segments; others.
<URL:http://www.xfree.org/security/>
+------------------------------------------------------------------------+
Port name:      xinetd
Affected:       versions < xinetd-2.3.7
Status:         Fixed
A file descriptor leak in xinetd could give an unprivileged process
the ability to terminate the master xinetd process.
<URL:http://www.xinetd.org/>
+------------------------------------------------------------------------+

III. Upgrading Ports/Packages

To upgrade a fixed port/package, perform one of the following:

1) Upgrade your Ports Collection and rebuild and reinstall the port.
Several tools are available in the Ports Collection to make this
easier.  See:
  /usr/ports/devel/portcheckout
  /usr/ports/misc/porteasy
  /usr/ports/sysutils/portupgrade

2) Deinstall the old package and install a new package obtained from

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/

Packages are not automatically generated for other architectures at
this time.


+------------------------------------------------------------------------+
FreeBSD Security Notices are communications from the Security Officer
intended to inform the user community about potential security issues,
such as bugs in the third-party applications found in the Ports
Collection, which will not be addressed in a FreeBSD Security
Advisory.

Feedback on Security Notices is welcome at <security-officer@FreeBSD.org>.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
Comment: FreeBSD: The Power To Serve

iQCVAwUBPaTD11UuHi5z0oilAQEXHgP9HR2gmVgRwAvKCqmlQVAEA6N3TwLFu1g/
QXOlOZB0asu4XCFzj7effNVrCMob93ZOMSjDo4+SdKdp11TX3SaOrP3mPUcaimbs
owHZD77Rqb4fhajWVPjezYzXpJX0C7qb4HS7SnCzNde98PG+acVcvyGyqmY/9Yuy
pVMUC9fjkFY=
=ybhF
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security-notifications" in the body of the message