Removing their 2.3.0.4 port was the right thing for FreeBSD to do.
That version is what, 4 years old or more? I'd challenge the
"often used" assertion in the announcement. If it's often used
it's only because folks like FreeBSD have been shipping it long
after it should have been replaced with a 2.4.x version.
If you look at amanda's download page at:
http://www.amanda.org/download.html
you'll se 2.4.2p2 is the latest "stable release" and that there
have been various development releases since then.
-Mitch
On Tue, 28 May 2002, Tom Beer wrote:
> Hi,
>
> reffering to the mentioned Advisories I would like to know what
> the latest stable version of Amanda is, that is not affected.
> I thought that 2.4.2p2 is the latest, as mentioned a week or
> so ago on this list. Below, only 2.3.0.4 is mentioned. But this
> wasn't shipped with FreeBSD 4.5.
>
> Thanks for info, a confused Tom
>
> http://online.securityfocus.com/archive/1/274215
>
> Package: AMANDA
> Version: 2.3.0.4
> Date: 26/05/2002
> Issue:Local and remote overflows
> Risk: Medium since this is an old package
> Credits: zillion[at]safemode.org
> http://www.safemode.org
> http://www.snosoft.com
>
> The Advanced Maryland Automatic Network Disk Archiver (AMANDA) is
> a backup system which is available for many different Unix-based
> operating systems. Several setuid and setgid binaries which are
> installed by this package contain buffer overflow vulnerabilities
> that can be used to execute shellcode with elevated privileges.
> Additionally, the amindexd daemon contains a remote overflow bug
> that can lead to a remote system compromise.
>
> The affected version of AMANDA is an old package but is often used
> due to compatibility problems with newer versions. For example,
> this package was until recently shipped with the FreeBSD 4.5 ports
> collection.
>
>
>
>
