---------- > From: FreeBSD Security Advisories <[EMAIL PROTECTED]> > To: FreeBSD Security Advisories <[EMAIL PROTECTED]> > Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:79:oops > Date: 2000 m. Gruodis 20 d. 16:41 > > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================ = > FreeBSD-SA-00:79 Security Advisory > FreeBSD, Inc. > > Topic: oops allows remote code execution > > Category: ports > Module: oops > Announced: 2000-12-20 > Credits: |CyRaX| <[EMAIL PROTECTED]> > Affects: Ports collection prior to the correction date. > Corrected: 2000-12-14 > Vendor status: Updated version released > FreeBSD only: NO > > I. Background > > oops is a caching WWW proxy server. > > II. Problem Description > > The oops port, versions prior to 1.5.2, contains remote > vulnerabilities through buffer and stack overflows in the HTML parsing > code. These vulnerabilities may allow remote users to execute > arbitrary code as the user running oops. > > The oops port is not installed by default, nor is it "part of FreeBSD" > as such: it is part of the FreeBSD ports collection, which contains over > 4200 third-party applications in a ready-to-install format. The ports > collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem > since it was discovered after the releases. > > FreeBSD makes no claim about the security of these third-party > applications, although an effort is underway to provide a security > audit of the most security-critical ports. > > III. Impact > > Malicious remote users may execute arbitrary code as the user running > oops. > > If you have not chosen to install the oops port/package, then your > system is not vulnerable to this problem. > > IV. Workaround > > Deinstall the oops port/package, if you have installed it. > > V. Solution > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the oops port. > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/oops-1.5. 2.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/oops-1.5. 2.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/oops-1.5 .2.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/oops-1.5 .2.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/oops-1. 5.2.tgz > > NOTE: It may be several days before updated packages are available. > > 3) download a new port skeleton for the oops port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portche ckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portche ckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portch eckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portch eckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portc heckout-2.0.tgz > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBOkDD+VUuHi5z0oilAQF/GQQAphFsq7DIG9Gez7F6ry71W/c9vwC0RMgz > 4IWDeYtkLQhB86n2nkQFMeRQi6EAAOKrOeVJtGhjgtOib6nR6sPCJxbY+s7G/RCw > /hz1q6xG4MOw+obhFUsKO8UyWfONYGnKNB5JLqi/dbzXPXwSuuf6wKPClZbXRNEv > aR8tF+briCU= > =ZwXz > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-security-notifications" in the body of the message WBR, Alexey Znamerovskiy ===================================================================== If you would like to unsubscribe from this list send message to [EMAIL PROTECTED] with "unsubscribe oops" in message body. Archive is accessible on http://www.paco.net/oops/
