Ik kreeg een mailtje van de mailinglist van FreeBSD in mijn inbox waarin te lezen was dat er verschillende ports in de FreeBSD Ports Collectie blootgesteld zijn aan beveiligings fouten.
[quote]Several ports in the FreeBSD Ports Collection are affected by security
issues. These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
The listed vulnerabilities are not specific to FreeBSD unless
otherwise noted.
These ports are not installed by default‚ nor are they “part of
FreeBSD” as such. The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format. FreeBSD makes
no claim about the security of these third-party applications.
+————————————————————————+
Port name: amanda
Affected: versions <= amanda-2.3.0.4
Status: Port removed
Obsolete versions of Amanda contain multiple buffer overflows.
+————————————————————————+
Port name: fetchmail
Affected: versions < fetchmail-5.9.11
Status: Fixed
+————————————————————————+
Port name: gaim
Affected: versions < gaim-0.58
Status: Fixed
World-readable temp files allow access to gaim users' hotmail
accounts.
+————————————————————————+
Port name: gnokii
Affected: versions < gnokii-0.4.0.p20‚1
Status: Fixed
Write access to any file in the filesystem.
+————————————————————————+
Port name: horde
Affected: versions < horde-1.2.8
Status: Fixed
Cross-site scripting attacks.
+------------------------------------------------------------------------+
Port name: imap-uw
Affected: all versions
Status: Not fixed
Only when compiled with RFC 1730 support (make -DWITH_RFC1730):
Remote buffer overflow yielding non-privileged shell access.
+————————————————————————+
Port name: imp
Affected: versions < imp-2.2.8
Status: Fixed
Cross-site scripting attacks.
+------------------------------------------------------------------------+
Port name: linux-netscape6
Affected: versions < 6.2.3
Status: Fixed
XMLHttpRequest allows reading of local files.
+————————————————————————+
Port name: mnogosearch
Affected: versions < mnogosearch-3.1.19_2
Status: Fixed
Long query can be abused to execute code with webserver privileges.
+————————————————————————+
Port name: mpg321
Affected: versions < mpg321-0.2.9
Status: Fixed
Buffer overflow may allow remote attackers to execute arbitrary code via
streaming data.
+————————————————————————+
Port name: ssh2
Affected: all versions
Status: Not fixed
Password authentication may be used even if password authentication
is disabled.
+————————————————————————+
Port name: tinyproxy
Affected: versions < tinyproxy-1.5.0
Status: Fixed
Invalid query could allow execution of arbitrary code.
+————————————————————————+
Port name: webmin
Affected: versions < webmin-0.970
Status: Fixed
Remote attacker can login to Webmin as any user.
+————————————————————————+
III. Upgrading Ports/Packages
To upgrade a fixed port/package‚ perform one of the following:
1) Upgrade your Ports Collection and rebuild and reinstall the port.
Several tools are available in the Ports Collection to make this
easier. See:
/usr/ports/devel/portcheckout
/usr/ports/misc/porteasy
/usr/ports/sysutils/portupgrade
2) Deinstall the old package and install a new package obtained from
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/
Packages are not automatically generated for other architectures at
this time.
[/quote]