FYI,
-- Security Alert Consensus --
Number 053 (00.29)
Thursday, July 13, 2000
Created for you by
Network Computing and the SANS Institute
Relevant Info on BSD security bugs and problems as follows:
This week saw many vendors releasing patched versions of ftpds. As it
turns out, the type of vulnerability that plagued WU-FTPD last week was
also found in OpenBSD ftpd and FreeBSD ftpd, as well as Opieftpd. The
original vulnerability was described as {00.27.007} and this week as
{00.29.002}. You will need to be a subscriber to the "Cross-Platform"
category to receive those alerts.
Keep in mind that SAC is archived, and the archives feature all
categories, so if you would like to see items not in your subscribed
category, you can view the issue at:
http://archives.neohapsis.com/archives/
Specifics as follows:
--- BSD News -----------------------------------------------------------
--> {00.29.003} Update to {00.28.003}: Canna remote buffer overflow in
SR_INIT command
FreeBSD has released updated packages that fix the vulnerability
described in {00.28.003} ("Canna remote buffer overflow in SR_INIT
command").
FreeBSD packages:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/japanese/ja-Canna-3.2.2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/japanese/ja-Canna-3.2.2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/japanese/ja-Canna-3.2.2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/japanese/ja-Canna-3.2.2.tgz
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-07/0041.html
--> {00.29.008} Update to {00.25.006}: OpenSSH "Uselogin" allows
commands to be run as root
FreeBSD has released a patch that corrects the vulnerability discussed
in {00.25.006} ("OpenSSH 'Uselogin' allows commands to be run as root").
Patch:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-07/0040.html
--> {00.29.020} Update to {00.23.004}: QPop euidl buffer overflow
FreeBSD has released updated packages that correct the vulnerability
discussed in {00.23.004} ("QPop euidl buffer overflow").
Download updated packages:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/qpopper-2.53.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/qpopper-2.53.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/qpopper-2.53.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/qpopper-2.53.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/qpopper-2.53.tgz
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-07/0036.html
--> {00.29.022} XFree86 4.0 local buffer overflow
FreeBSD has released updated packages that detail a local buffer
overflow in XFree86 version 4.0. The vulnerability lets a local attacker
gain root privileges.
Updated FreeBSD packages:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-07/0037.html
============== End of update =================
Regards,
--
Jeffrey A. Williams
Spokesman INEGroup (Over 112k members strong!)
CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
Information Network Eng. Group. INEG. INC.
E-Mail [EMAIL PROTECTED]
Contact Number: 972-447-1800 x1894 or 9236 fwd's to home ph#
Address: 5 East Kirkwood Blvd. Grapevine Texas 75208
