FW: [Full-Disclosure] FreeBSD Security Notice FreeBSD-SN-03:01

From: Mark Challender (MarkC@mtbaker.wednet.edu)
Date: 04/07/03

  • Next message: Pekka Savola: "Re: [Full-Disclosure] U.S. military helps fund Calgary hacker with $2.3 million" 
    From: Mark Challender <MarkC@mtbaker.wednet.edu>
To: full-disclosure@lists.netsys.com
Date: Mon, 7 Apr 2003 11:32:16 -0700

    Georgi,

    Can I borrow your crystal ball?
    ==========================
    you wrote:

    Fine opinion about war and m$, but the statement
    "OpenBSD, which does not develop as many products as Microsoft, says only
    one
    vulnerability or hole has been found in its software in the past seven
    years"
    is untrue.

    Georgi
    ===========================

    Mark Challender
    Network Administrator

    Are you sending out a virus hoax?
    Check the website below and be sure.

    http://vil.nai.com/VIL/hoaxes.asp

    -----Original Message-----
    From: FreeBSD Security Advisories
    [mailto:security-advisories@freebsd.org]
    Sent: Monday, April 07, 2003 6:42 AM
    To: FreeBSD Security Advisories
    Subject: [Full-Disclosure] FreeBSD Security Notice FreeBSD-SN-03:01

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ============================================================================
    =
    FreeBSD-SN-03:01 Security
    Notice
                                                              The FreeBSD
    Project

    Topic: security issue in samba ports
    Announced: 2003-04-07

    I. Introduction

    Several ports in the FreeBSD Ports Collection are affected by security
    issues. These are listed below with references and affected versions.
    All versions given refer to the FreeBSD port/package version numbers.
    The listed vulnerabilities are not specific to FreeBSD unless
    otherwise noted.

    These ports are not installed by default, nor are they ``part of
    FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of
    third-party applications in a ready-to-install format. FreeBSD makes
    no claim about the security of these third-party applications. See
    <URL:http://www.freebsd.org/ports/> for more information about the
    FreeBSD Ports Collection.

    II. Ports

    +------------------------------------------------------------------------+
    Port name: net/samba
    Affected: versions < samba-2.2.8_2, samba-2.2.8a
    Status: Fixed

    Two vulnerabilities recently:

    (1) Sebastian Krahmer of the SuSE Security Team identified
    vulnerabilities that could lead to arbitrary code execution as root,
    as well as a race condition that could allow overwriting of system
    files. (This vulnerability was previously fixed in Samba 2.2.8.)

    (2) Digital Defense, Inc. reports: ``This vulnerability, if exploited
    correctly, leads to an anonymous user gaining root access on a Samba
    serving system. All versions of Samba up to and including Samba 2.2.8
    are vulnerable. Alpha versions of Samba 3.0 and above are *NOT*
    vulnerable.''

    <URL: http://us1.samba.org/samba/whatsnew/samba-2.2.8.html >
    <URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085 >
    <URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086 >
    <URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196 >
    <URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201 >
    +------------------------------------------------------------------------+
    Port name: net/samba-tng
    Affected: all versions
    Status: Not fixed

    Some or all of the vulnerabilities affecting Samba may also affect
    Samba-TNG. No confirmation or official patches are available at the
    time of this security notice.
    +------------------------------------------------------------------------+

    III. Upgrading Ports/Packages

    To upgrade a fixed port/package, perform one of the following:

    1) Upgrade your Ports Collection and rebuild and reinstall the port.
    Several tools are available in the Ports Collection to make this
    easier. See:
      /usr/ports/devel/portcheckout
      /usr/ports/misc/porteasy
      /usr/ports/sysutils/portupgrade

    2) Deinstall the old package and install a new package obtained from

    [FreeBSD 4.x, i386]
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/

    [FreeBSD 5.x, i386]
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/All/

    Packages are not automatically generated for other architectures at
    this time.

    Note that new, official packages may not be available on all mirrors
    immediately. In the interim, Security Officer-generated packages (and
    detached digital signatures) are available for the i386 architecture
    at:

    [FreeBSD 4.x, i386]
    ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-4-st
    able/samba-2.2.8_2.tgz
    ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-4-st
    able/samba-2.2.8_2.tgz.asc

    [FreeBSD 5.x]
    ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-5-cu
    rrent/samba-2.2.8_2.tbz
    ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-5-cu
    rrent/samba-2.2.8_2.tbz.asc

    +------------------------------------------------------------------------+
    FreeBSD Security Notices are communications from the Security Officer
    intended to inform the user community about potential security issues,
    such as bugs in the third-party applications found in the Ports
    Collection, which will not be addressed in a FreeBSD Security
    Advisory.

    Feedback on Security Notices is welcome at <security-team@FreeBSD.org>.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (FreeBSD)

    iD8DBQE+kX+vFdaIBMps37IRAtkmAJ4ruhx4WQLeSPSPgfmzrVW4uYvVJACfRxem
    4q3eO8IxTujzRR2QwH4eyK4=
    =/4KW
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-security-notifications@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
    To unsubscribe, send any mail to
    "freebsd-security-notifications-unsubscribe@freebsd.org"

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Pekka Savola: "Re: [Full-Disclosure] U.S. military helps fund Calgary hacker with $2.3 million"

    Relevant Pages

    • [Full-Disclosure] FreeBSD Security Notice FreeBSD-SN-03:01
      ... Several ports in the FreeBSD Ports Collection are affected by security ... All versions given refer to the FreeBSD port/package version numbers. ... Some or all of the vulnerabilities affecting Samba may also affect ...
      (Full-Disclosure)
    • RE: Re: FreeBSD Security Survey
      ... FreeBSD has proven ... likely would reduce security issues exponentially. ... The survey is a great idea. ... While I find ports to be the single most useful feature of the FreeBSD ...
      (freebsd-stable)
    • RE: Re: FreeBSD Security Survey
      ... FreeBSD has proven ... likely would reduce security issues exponentially. ... The survey is a great idea. ... While I find ports to be the single most useful feature of the FreeBSD ...
      (FreeBSD-Security)
    • Re: ports security branch
      ... > Is there a security branch for the FreeBSD ports collection? ... If you only want to track security vulnerabilities, ...
      (freebsd-questions)
    • Re: What about BIND 9.3.4 in FreeBSD in base system ?
      ... Given that FreeBSD is not vulnerable to these issues in its default configuration, one could easily argue that an upgrade for RELENG_5 isn't necessary. ... The ports exist in part to facilitate using the latest BIND on older versions of FreeBSD that will not be updated. ... the above DoS vulnerabilities ought to be fixed in the 5-STABLE branch? ...
      (FreeBSD-Security)
    Loading