lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: MarkC at mtbaker.wednet.edu (Mark Challender) Subject: FW: FreeBSD Security Notice FreeBSD-SN-03:01 Georgi, Can I borrow your crystal ball? ========================== you wrote: Fine opinion about war and m$, but the statement "OpenBSD, which does not develop as many products as Microsoft, says only one vulnerability or hole has been found in its software in the past seven years" is untrue. Georgi =========================== Mark Challender Network Administrator Are you sending out a virus hoax? Check the website below and be sure. http://vil.nai.com/VIL/hoaxes.asp -----Original Message----- From: FreeBSD Security Advisories [mailto:security-advisories@...ebsd.org] Sent: Monday, April 07, 2003 6:42 AM To: FreeBSD Security Advisories Subject: [Full-Disclosure] FreeBSD Security Notice FreeBSD-SN-03:01 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================ = FreeBSD-SN-03:01 Security Notice The FreeBSD Project Topic: security issue in samba ports Announced: 2003-04-07 I. Introduction Several ports in the FreeBSD Ports Collection are affected by security issues. These are listed below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. The listed vulnerabilities are not specific to FreeBSD unless otherwise noted. These ports are not installed by default, nor are they ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See <URL:http://www.freebsd.org/ports/> for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: net/samba Affected: versions < samba-2.2.8_2, samba-2.2.8a Status: Fixed Two vulnerabilities recently: (1) Sebastian Krahmer of the SuSE Security Team identified vulnerabilities that could lead to arbitrary code execution as root, as well as a race condition that could allow overwriting of system files. (This vulnerability was previously fixed in Samba 2.2.8.) (2) Digital Defense, Inc. reports: ``This vulnerability, if exploited correctly, leads to an anonymous user gaining root access on a Samba serving system. All versions of Samba up to and including Samba 2.2.8 are vulnerable. Alpha versions of Samba 3.0 and above are *NOT* vulnerable.'' <URL: http://us1.samba.org/samba/whatsnew/samba-2.2.8.html > <URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085 > <URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086 > <URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196 > <URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201 > +------------------------------------------------------------------------+ Port name: net/samba-tng Affected: all versions Status: Not fixed Some or all of the vulnerabilities affecting Samba may also affect Samba-TNG. No confirmation or official patches are available at the time of this security notice. +------------------------------------------------------------------------+ III. Upgrading Ports/Packages To upgrade a fixed port/package, perform one of the following: 1) Upgrade your Ports Collection and rebuild and reinstall the port. Several tools are available in the Ports Collection to make this easier. See: /usr/ports/devel/portcheckout /usr/ports/misc/porteasy /usr/ports/sysutils/portupgrade 2) Deinstall the old package and install a new package obtained from [FreeBSD 4.x, i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ [FreeBSD 5.x, i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/All/ Packages are not automatically generated for other architectures at this time. Note that new, official packages may not be available on all mirrors immediately. In the interim, Security Officer-generated packages (and detached digital signatures) are available for the i386 architecture at: [FreeBSD 4.x, i386] ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-4-st able/samba-2.2.8_2.tgz ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-4-st able/samba-2.2.8_2.tgz.asc [FreeBSD 5.x] ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-5-cu rrent/samba-2.2.8_2.tbz ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-5-cu rrent/samba-2.2.8_2.tbz.asc +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at <security-team@...eBSD.org>. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+kX+vFdaIBMps37IRAtkmAJ4ruhx4WQLeSPSPgfmzrVW4uYvVJACfRxem 4q3eO8IxTujzRR2QwH4eyK4= =/4KW -----END PGP SIGNATURE----- _______________________________________________ freebsd-security-notifications@...ebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@...ebsd.org" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists