3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
93 lines
3.4 KiB
Text
93 lines
3.4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-00:79 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: oops allows remote code execution
|
|
|
|
Category: ports
|
|
Module: oops
|
|
Announced: 2000-12-20
|
|
Credits: |CyRaX| <cyrax@pkcrew.org>
|
|
Affects: Ports collection prior to the correction date.
|
|
Corrected: 2000-12-14
|
|
Vendor status: Updated version released
|
|
FreeBSD only: NO
|
|
|
|
I. Background
|
|
|
|
oops is a caching WWW proxy server.
|
|
|
|
II. Problem Description
|
|
|
|
The oops port, versions prior to 1.5.2, contains remote
|
|
vulnerabilities through buffer and stack overflows in the HTML parsing
|
|
code. These vulnerabilities may allow remote users to execute
|
|
arbitrary code as the user running oops.
|
|
|
|
The oops port is not installed by default, nor is it "part of FreeBSD"
|
|
as such: it is part of the FreeBSD ports collection, which contains over
|
|
4200 third-party applications in a ready-to-install format. The ports
|
|
collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem
|
|
since it was discovered after the releases.
|
|
|
|
FreeBSD makes no claim about the security of these third-party
|
|
applications, although an effort is underway to provide a security
|
|
audit of the most security-critical ports.
|
|
|
|
III. Impact
|
|
|
|
Malicious remote users may execute arbitrary code as the user running
|
|
oops.
|
|
|
|
If you have not chosen to install the oops port/package, then your
|
|
system is not vulnerable to this problem.
|
|
|
|
IV. Workaround
|
|
|
|
Deinstall the oops port/package, if you have installed it.
|
|
|
|
V. Solution
|
|
|
|
One of the following:
|
|
|
|
1) Upgrade your entire ports collection and rebuild the oops port.
|
|
|
|
2) Deinstall the old package and install a new package dated after the
|
|
correction date, obtained from:
|
|
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/oops-1.5.2.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/oops-1.5.2.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/oops-1.5.2.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/oops-1.5.2.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/oops-1.5.2.tgz
|
|
|
|
NOTE: It may be several days before updated packages are available.
|
|
|
|
3) download a new port skeleton for the oops port from:
|
|
|
|
http://www.freebsd.org/ports/
|
|
|
|
and use it to rebuild the port.
|
|
|
|
4) Use the portcheckout utility to automate option (3) above. The
|
|
portcheckout port is available in /usr/ports/devel/portcheckout or the
|
|
package can be obtained from:
|
|
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
|
|
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.0.4 (FreeBSD)
|
|
Comment: For info see http://www.gnupg.org
|
|
|
|
iQCVAwUBOkDD+VUuHi5z0oilAQF/GQQAphFsq7DIG9Gez7F6ry71W/c9vwC0RMgz
|
|
4IWDeYtkLQhB86n2nkQFMeRQi6EAAOKrOeVJtGhjgtOib6nR6sPCJxbY+s7G/RCw
|
|
/hz1q6xG4MOw+obhFUsKO8UyWfONYGnKNB5JLqi/dbzXPXwSuuf6wKPClZbXRNEv
|
|
aR8tF+briCU=
|
|
=ZwXz
|
|
-----END PGP SIGNATURE-----
|