-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SN-02:06 Security Notice
The FreeBSD Project
Topic: security issues in ports
Announced: 2002-10-10
I. Introduction
Several ports in the FreeBSD Ports Collection are affected by security
issues. These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
The listed vulnerabilities are not specific to FreeBSD unless
otherwise noted.
These ports are not installed by default, nor are they ``part of
FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format. FreeBSD makes
no claim about the security of these third-party applications. See
for more information about the
FreeBSD Ports Collection.
II. Ports
+------------------------------------------------------------------------+
Port name: apache13, apache13+ipv6, apache13-fp, apache13-modssl and
apache13-ssl
Status: Fixed (apache13, apache13+ipv6, apache13-fp and apache13-modssl)
Not fixed (apache13-ssl)
Affected: versions < apache+ipv6-1.3.27
versions < apache+mod_ssl-1.3.27+2.8.11
versions < apache-1.3.27
versions < apache_fp-1.3.27
versions < ru-apache-1.3.27.30.16
Attackers can cause httpd to spawn new processes, or can kill other
processes, resulting in denial of service.
+------------------------------------------------------------------------+
Port name: gaim
Affected: versions < gaim-0.59.1
Status: Fixed
The URL handler in the manual browser option for Gaim before 0.59.1
fails to escape shell metacharacters in links.
+------------------------------------------------------------------------+
Port name: gallery
Affected: versions < gallery-1.3.1
Status: Fixed
Remotely exploitable.
+------------------------------------------------------------------------+
Port name: gtar
Affected: versions < gtar-1.13.25_5
Status: Fixed
Directory traversal bug allows files to be overwritten unexpectedly
when an archive is extracted.
+------------------------------------------------------------------------+
Port name: hylafax
Affected: versions < hylafax-4.1.3
Status: Fixed
Format string vulnerability and buffer overflow resulting in potential
denial of service attack, arbitrary code execution as root, and elevation
of privilege.
+------------------------------------------------------------------------+
Port name: linux_base-6
Affected: versions < linux_base-6.1_2
Status: Fixed
multiple vulnerabilities in Xlib
+------------------------------------------------------------------------+
Port name: linux_base and linux_base-6
Affected: versions < linux_base-7.1_1 (linux_base)
versions < linux_base-6.1_2 (linux_base-6)
Status: Fixed
XDR RPC and resolver buffer overflows in glibc
+------------------------------------------------------------------------+
Port name: linux-flashplugin
Affected: versions < linux-flashplugin-5.0r50
Status: Fixed
A buffer overflow allowed execution of arbitrary code. Another bug
allowed the contents of users' files to be sent to a malicious Web
server.
+------------------------------------------------------------------------+
Port name: mozilla, mozilla-devel
Affected: versions < mozilla-1.0.1_1,2 (mozilla)
versions < linux-mozilla-1.0_1 (mozilla-devel)
Status: Not fixed
An overflow exists in the Chatzilla IRC client. It can cause Mozilla
to crash even if the demonstration page does not cause the crash.
According to Robert Ginda, the bug does not allow execution of
malicious code. Chatzilla had been disabled in the affected ports,
but it was inadvertently enabled again. The presence of Chatzilla
is indicated by an icon in the status bar, by an item in the Window
menu, and by the existence of the chatzilla.jar file. As a workaround,
remove chatzilla.jar.
+------------------------------------------------------------------------+
Port name: opera
Affected: versions < opera-6.03.20020813
Status: Fixed
Buffer overflows in OpenSSL may allow execution of arbitrary code.
+------------------------------------------------------------------------+
Port name: php
Affected: versions mod_php4-4.0.5 to mod_php4-4.2.2
versions >= php4-4.0.5 to php4-4.2.2
Status: Fixed
possible execution of arbitrary code via mail() function
+------------------------------------------------------------------------+
Port name: pkzip
Affected: all versions
Status: Not Fixed
If the -rec option is used when extracting an archive, files with
"/" as the first character in the path, or with "../" may be
extracted.
+------------------------------------------------------------------------+
Port name: qmailadmin
Affected: versions < qmailadmin-1.0.6
Status: Fixed
Installs setuid with exploitable buffer overflow leading to
privileges of `vpopmail' user.
+------------------------------------------------------------------------+
Port name: unzip
Affected: versions < unzip-5.50
Status: Fixed
Files with "/" as the first character in the path, or with "../"
in the path may be extracted from an archive.
+------------------------------------------------------------------------+
Port name: webmin
Affected: versions < webmin-1.020
Status: Fixed
A prepackaged SSL key was identical for every installation, allowing
sessions to be hijacked.
+------------------------------------------------------------------------+
Port name: XFree86-4, XFree86-4-Server, XFree86-4-NestServer,
XFree86-4-VirtualFramebufferServer, XFree86-4-libraries,
XFree86-4-clients
Affected: versions < XFree86-Server-4.2.1_1
versions < XFree86-libraries-4.2.1_1
versions < XFree86-clients-4.2.1_1
versions < XFree86-NestServer-4.2.1
versions < XFree86-VirtualFramebufferServer-4.2.1
Status: Fixed
Arbitrary code execution in privileged clients; overwriting restricted
shared memory segments; others.
+------------------------------------------------------------------------+
Port name: xinetd
Affected: versions < xinetd-2.3.7
Status: Fixed
A file descriptor leak in xinetd could give an unprivileged process
the ability to terminate the master xinetd process.
+------------------------------------------------------------------------+
III. Upgrading Ports/Packages
To upgrade a fixed port/package, perform one of the following:
1) Upgrade your Ports Collection and rebuild and reinstall the port.
Several tools are available in the Ports Collection to make this
easier. See:
/usr/ports/devel/portcheckout
/usr/ports/misc/porteasy
/usr/ports/sysutils/portupgrade
2) Deinstall the old package and install a new package obtained from
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/
Packages are not automatically generated for other architectures at
this time.
+------------------------------------------------------------------------+
FreeBSD Security Notices are communications from the Security Officer
intended to inform the user community about potential security issues,
such as bugs in the third-party applications found in the Ports
Collection, which will not be addressed in a FreeBSD Security
Advisory.
Feedback on Security Notices is welcome at .
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
Comment: FreeBSD: The Power To Serve
iQCVAwUBPaTD11UuHi5z0oilAQEXHgP9HR2gmVgRwAvKCqmlQVAEA6N3TwLFu1g/
QXOlOZB0asu4XCFzj7effNVrCMob93ZOMSjDo4+SdKdp11TX3SaOrP3mPUcaimbs
owHZD77Rqb4fhajWVPjezYzXpJX0C7qb4HS7SnCzNde98PG+acVcvyGyqmY/9Yuy
pVMUC9fjkFY=
=ybhF
-----END PGP SIGNATURE-----