FW: FreeBSD Security Notice FreeBSD-SN-03:01

[Mark Challender <MarkC () mtbaker wednet edu>]

Georgi,

Can I borrow your crystal ball?
==========================
you wrote:

Fine opinion about war and m$, but the statement
"OpenBSD, which does not develop as many products as Microsoft, says only
one 
vulnerability or hole has been found in its software in the past seven
years"
is untrue.

Georgi
===========================


Mark Challender
Network Administrator

Are you sending out a virus hoax?
Check the website below and be sure.

http://vil.nai.com/VIL/hoaxes.asp



-----Original Message-----
From: FreeBSD Security Advisories
[mailto:security-advisories () freebsd org]
Sent: Monday, April 07, 2003 6:42 AM
To: FreeBSD Security Advisories
Subject: [Full-disclosure] FreeBSD Security Notice FreeBSD-SN-03:01


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

============================================================================
=
FreeBSD-SN-03:01                                              Security
Notice
                                                          The FreeBSD
Project

Topic:          security issue in samba ports
Announced:      2003-04-07

I.   Introduction

Several ports in the FreeBSD Ports Collection are affected by security
issues.  These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
The listed vulnerabilities are not specific to FreeBSD unless
otherwise noted.

These ports are not installed by default, nor are they ``part of
FreeBSD'' as such.  The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format.  FreeBSD makes
no claim about the security of these third-party applications.  See
<URL:http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.

II.  Ports

+------------------------------------------------------------------------+
Port name:      net/samba
Affected:       versions < samba-2.2.8_2, samba-2.2.8a
Status:         Fixed

Two vulnerabilities recently:

(1) Sebastian Krahmer of the SuSE Security Team identified
vulnerabilities that could lead to arbitrary code execution as root,
as well as a race condition that could allow overwriting of system
files.  (This vulnerability was previously fixed in Samba 2.2.8.)

(2) Digital Defense, Inc. reports: ``This vulnerability, if exploited
correctly, leads to an anonymous user gaining root access on a Samba
serving system. All versions of Samba up to and including Samba 2.2.8
are vulnerable. Alpha versions of Samba 3.0 and above are *NOT*
vulnerable.''

<URL: http://us1.samba.org/samba/whatsnew/samba-2.2.8.html >
<URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085 >
<URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086 >
<URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196 >
<URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201 >
+------------------------------------------------------------------------+
Port name:      net/samba-tng
Affected:       all versions
Status:         Not fixed

Some or all of the vulnerabilities affecting Samba may also affect
Samba-TNG.  No confirmation or official patches are available at the
time of this security notice.
+------------------------------------------------------------------------+

III. Upgrading Ports/Packages

To upgrade a fixed port/package, perform one of the following:

1) Upgrade your Ports Collection and rebuild and reinstall the port.
Several tools are available in the Ports Collection to make this
easier.  See:
  /usr/ports/devel/portcheckout
  /usr/ports/misc/porteasy
  /usr/ports/sysutils/portupgrade

2) Deinstall the old package and install a new package obtained from

[FreeBSD 4.x, i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/

[FreeBSD 5.x, i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/All/

Packages are not automatically generated for other architectures at
this time.

Note that new, official packages may not be available on all mirrors
immediately.  In the interim, Security Officer-generated packages (and
detached digital signatures) are available for the i386 architecture
at:

[FreeBSD 4.x, i386]
ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-4-st
able/samba-2.2.8_2.tgz
ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-4-st
able/samba-2.2.8_2.tgz.asc

[FreeBSD 5.x]
ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-5-cu
rrent/samba-2.2.8_2.tbz
ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-5-cu
rrent/samba-2.2.8_2.tbz.asc


+------------------------------------------------------------------------+
FreeBSD Security Notices are communications from the Security Officer
intended to inform the user community about potential security issues,
such as bugs in the third-party applications found in the Ports
Collection, which will not be addressed in a FreeBSD Security
Advisory.

Feedback on Security Notices is welcome at <security-team () FreeBSD org>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+kX+vFdaIBMps37IRAtkmAJ4ruhx4WQLeSPSPgfmzrVW4uYvVJACfRxem
4q3eO8IxTujzRR2QwH4eyK4=
=/4KW
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications () freebsd org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to
"freebsd-security-notifications-unsubscribe () freebsd org"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html