• Dedicated Hosting
• Fast Dedicated Servers - Xeon

• Virtual Private Servers (VPS)
• VPS Hosting Review (Top 3)

• Shared Web Hosting
• Top Web Hosting Reviews (Top 3)

• FreeBSD Topics
• Access our FreeBSD Forums
• Home
• How To Install FreeBSD
• Installing Webmin
• Installing ISPConfig
• How To Install Ports/PHP/Perl
• How To Install Apache
• Software Porting
• Dedicated Server Hardware Config
• FreeBSD Security
• Benefits Installing FreeBSD

• IT Information Menu
• Green IT
• Server Control Panel
• The Archives
• Dedicated Server Packages
• Web Hosting Comparison
• Server OS Comparison
• MySQL, SQL, and PostgreSQL
• Pros and cons of Server Packages
• Hosting Services
• Server Software Configuration
• Server Hardware Questions
• Reasons for your own server
• Video Card Drivers
• Cheap Vs High Performance Servers
• Cheap Dedicated Servers
• What is a Virtual Server?

• Server Hardware
• Used servers
• Server Memory
• 667 FB DIMM

• Website Related Info.
• How to Build a Website Overview

Guests Visit the FreeBSD Forums  •  Login to the FreeBSD Forums  •  Register for FREE

Username:  Password:  | Log me on automatically each visit

FreeBSD Security Advisories Notice FreeBSD-SN-02:03

The FreeBSD Security team has issued and announced the latest round of security advisories that have affected many FreeBSD specific and non-specific ports.

Read full advisory announcement


-----BEGIN PGP SIGNED MESSAGE-----

================================================
FreeBSD-SN-02:03 Security Notice
The FreeBSD Project

Topic: security issues in ports
Announced: 2002-05-28

I. Introduction

Several ports in the FreeBSD Ports Collection are affected by security
issues. These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
The listed vulnerabilities are not specific to FreeBSD unless
otherwise noted.

These ports are not installed by default, nor are they ``part of
FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format. FreeBSD makes
no claim about the security of these third-party applications. See
<URL:http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.

II. Ports

+------------------------------------------------------------------------+
Port name: amanda
Affected: versions <= amanda-2.3.0.4
Status: Port removed
Obsolete versions of Amanda contain multiple buffer overflows.
<URL:http://online.securityfocus.com/archive/1/274215>
+------------------------------------------------------------------------+
Port name: fetchmail
Affected: versions < fetchmail-5.9.11
Status: Fixed
<URL:http://tuxedo.org/~esr/fetchmail/NEWS>
<URL:http://rhn.redhat.com/errata/RHSA-2002-047.html>
+------------------------------------------------------------------------+
Port name: gaim
Affected: versions < gaim-0.58
Status: Fixed
World-readable temp files allow access to gaim users' hotmail
accounts.
<URL:http://online.securityfocus.com/archive/1/272180>
+------------------------------------------------------------------------+
Port name: gnokii
Affected: versions < gnokii-0.4.0.p20,1
Status: Fixed
Write access to any file in the filesystem.
<URL:http://www.gnokii.org/news.shtml>
+------------------------------------------------------------------------+
Port name: horde
Affected: versions < horde-1.2.8
Status: Fixed
Cross-site scripting attacks.
+------------------------------------------------------------------------+
Port name: imap-uw
Affected: all versions
Status: Not fixed
Only when compiled with RFC 1730 support (make -DWITH_RFC1730):
Remote buffer overflow yielding non-privileged shell access.
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0379>
<URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102107222100529&w=2>
+------------------------------------------------------------------------+
Port name: imp
Affected: versions < imp-2.2.8
Status: Fixed
Cross-site scripting attacks.
+------------------------------------------------------------------------+
Port name: linux-netscape6
Affected: versions < 6.2.3
Status: Fixed
XMLHttpRequest allows reading of local files.
<URL:http://online.securityfocus.com/archive/1/270807>
+------------------------------------------------------------------------+
Port name: mnogosearch
Affected: versions < mnogosearch-3.1.19_2
Status: Fixed
Long query can be abused to execute code with webserver privileges.
<URL:http://online.securityfocus.com/archive/1/272025>
+------------------------------------------------------------------------+
Port name: mpg321
Affected: versions < mpg321-0.2.9
Status: Fixed
Buffer overflow may allow remote attackers to execute arbitrary code via
streaming data.
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0272>
+------------------------------------------------------------------------+
Port name: ssh2
Affected: all versions
Status: Not fixed
Password authentication may be used even if password authentication
is disabled.
<URL:http://www.ssh.com/products/ssh/advisories/authentication.cfm>
+------------------------------------------------------------------------+
Port name: tinyproxy
Affected: versions < tinyproxy-1.5.0
Status: Fixed
Invalid query could allow execution of arbitrary code.
<URL:http://tinyproxy.sourceforge.net/NEWS>
+------------------------------------------------------------------------+
Port name: webmin
Affected: versions < webmin-0.970
Status: Fixed
Remote attacker can login to Webmin as any user.
<URL:http://www.webmin.com/webmin/changes.html>
+------------------------------------------------------------------------+

III. Upgrading Ports/Packages

To upgrade a fixed port/package, perform one of the following:

1) Upgrade your Ports Collection and rebuild and reinstall the port.
Several tools are available in the Ports Collection to make this
easier. See:
/usr/ports/devel/portcheckout
/usr/ports/misc/porteasy
/usr/ports/sysutils/portupgrade

2) Deinstall the old package and install a new package obtained from

[i386]
http://web.archive.org/web/20031125022116/ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4-stable/All/

Packages are not automatically generated for other architectures at
this time.


+------------------------------------------------------------------------+
FreeBSD Security Notices are communications from the Security Officer
intended to inform the user community about potential security issues,
such as bugs in the third-party applications found in the Ports
Collection, which will not be addressed in a FreeBSD Security
Advisory.

Feedback on Security Notices is welcome at <security-officer@FreeBSD.org>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPPPEdFUuHi5z0oilAQFW8wP8CXG3dQyI5VPLp0m6fr
S4BtNtlkjOpq87
R/ 8FrDizVNGQ88+NzdPPPYWh8joAPGJZSXrWrSWKSge2dqEDK4CT
pJ5BFzpQsxUZ
kexaZ43DRxrUMQN1AWDyarE+/y8uCk3BnJTWhNLOf2HeOYNekOn/BHQ53ucpoaKs
QQEX171+Jnk=
=Z1i5
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security-notifications" in the body of the message

 

Looking for our FreeBSD Forums? We have moved them off our main page,just follow the link to our FreeBSD Forums page.

Copyright © 2009, WEBSERVER CONSUMER GUIDE

Privacy Policy

Please note:
(1) FreeBSD is a registered trademark of The FreeBSD Foundation.
(2) WEBSERVER CONSUMER GUIDE is in no way affiliated with The FreeBSD Foundation