Copyright © 2002-2008
EscapeBox Germany
|
|
|
A number of fixes and enhancements have
accumulated since our last kernel update (three months ago), which we
decided to put into production today. One area worth mentioning is
an improved process scheduler algorithm when it comes to dealing with
multiple CPUs (SMP) and CPU affinity of processes with regard to better
cache hit rates. In order to activate the new UNIX kernel we had to
reboot all of our servers. We apologize for the short service
interruption.
|
|
|
The SquirrelMail packages of 1.4.12 and 1.4.11
were externally modified after release through a cracked sourceforge.net
developer account. The inserted code can allow for remote PHP code
execution in many environments. We fixed the problem by upgrading to
revision 1.4.13.
Please note, however, that our shared version
of SquirrelMail was not affected because we fetched the source package
before the compromise happened. Also, our build system always
checks downloaded packages against the checksums in the FreeBSD ports
repository, which lives on a separate, independent server.
For more information please refer to
http://www.squirrelmail.org/security/issue/2007-12-13
|
|
|
|
This is a maintenance release which
introduces numerous bug fixes and improvements.
|
|
|
Due to incorrect bounds checking Squid is
vulnerable to a denial of service check during some cache update
reply processing. This problem allows any client trusted to use
the service to perform a denial of service attack on the Squid service.
We use Squid as a web accelerator in front of the Apache web server, so
naturally Squid's client side is exposed to the Internet. We fixed the
problem by applying the recommended patch.
For more information please refer to
http://www.squid-cache.org/Advisories/SQUID-2007_2.txt
|
|
|
A security vulnerability has been found in
Rsync. If a user is running a writable Rsync daemon with "use chroot = no",
there is at least one way for someone to trick Rsync into creating a symlink
that points outside of the module's hierarchy. In order to address this
problem the new daemon option "munge symlinks" has been implemented by
applying the recommended patch. More details can be found in the
'rsyncd.conf' manpage.
For more information please refer to
http://lists.samba.org/archive/rsync-announce/2007/000050.html
|
|
|
|
This is a maintenance release which
introduces a number of bug fixes and improvements.
|
|
|
|
This maintenance release fixes more than
60 bugs that have been discovered and resolved since 5.2.4.
|
|
|
|
This is a maintenance release which
introduces a number of bug fixes and improvements.
|
|
|
|
This is a pure bug fix release. There are
no new features.
|
|
|
In addition to Python 2.[234] we installed
branch 2.5. For compatibility reasons Python 2.2 remains the default
version, but you can change this individually by altering symlinks
'/usr/local/bin/python' and '/usr/local/bin/pydoc'.
Users who already have a private copy of Python
2.5 installed may want to switch to the shared version by using
the command 'pkg_delpriv packagename'. The exact package name of
the private copy can be obtained by running 'pkg_info'.
Also, there are multiple instances of 'mod_python',
one for each version of Python. In '/usr/local/libexec/apache',
the shared library 'mod_python.so' is by default a symlink to
'mod_python2.2.so', but you can easily select a different version by
pointing that symlink to one of the other modules. Note that you have
to restart Apache afterwards.
|
|
|
|
This maintenance release introduces a number
of bug fixes, improvements and new features.
|
|
|
|
This is a maintenance release which
introduces a number of bug fixes and improvements.
|
|
|
|
The race for the succession to CVS' throne
appears to be over. Going by its popularity Subversion has emerged
as a clear winner. So at this point we introduce Subversion 1.4.5
as a new centrally maintained package. Subversion is a modern version
control system that is similar to CVS, but without sharing some of its
major disadvantages. The client ('svn') can be used right away to access
remote Subversion servers. However, for hosting a repository some
configuration work is required. For detailed instructions please refer
to our "Box Docs", chapter "Other software", section "Subversion".
|
|
|
|
This maintenance release, based on version
1.5.0_13 of Sun's original JRL source code and a matching new level
(p7) of the BSD specific portability patches, introduces lots of
bug fixes and a number of improvements.
|
|
|
|
This is a pure bug fix release. There are
no new features.
|
|
|
|
This is a maintenance release which
introduces numerous bug fixes and improvements.
|
|
|
Some vulnerabilities have been found in libpng,
which can be exploited by malicious people to cause a DoS. We fixed
the problems by upgrading to revision 1.2.22. In fact, these
vulnerabilities were originally fixed in 1.2.21 already, but we skipped
that version because it was unfortunately broken.
For more information please refer to
http://secunia.com/advisories/27093
http://secunia.com/advisories/27130
|
|
|
|
This maintenance release fixes more than
120 bugs that have been discovered and resolved since the 5.2.3 release.
|
|
|
|
This is a maintenance release which
introduces a number of bug fixes and improvements.
|
|
|
|
This maintenance release introduces a number
of bug fixes, improvements and new features.
|
|
|
|
This maintenance release, based on version
1.5.0_12 of Sun's original JRL source code and a matching new level
(p6) of the BSD specific portability patches, introduces lots of
bug fixes and a number of improvements.
|
|
|
|
A number of fixes and improvements have
accumulated since our last kernel update (five months ago), which we
decided to put into production today. Nothing spectacular worth
highlighting, though. In order to activate the new UNIX kernel we
had to reboot all of our servers. We apologize for the short service
interruption.
|
|
|
There is a cross-site scripting (XSS) vulnerability
in mod_status.c in the mod_status module. When ExtendedStatus is enabled
and a public server-status page is used, the bug allows remote attackers
to inject arbitrary web script or HTML via unspecified vectors involving
charsets with browsers that perform "charset detection" when the
content-type is not specified. Also, a second security vulnerability
allows local users to cause a denial of service by modifying the
worker_score and process_score arrays to reference an arbitrary process
ID, which is sent a SIGUSR1 signal from the master process, aka
"SIGUSR1 killer." We fixed the problems by upgrading to revision 1.3.39.
For more information please refer to
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304
|
|
|
|
The new stable branch 5.2.x of Multitail is a
merge between the previous stable branch 5.0.x and development code
from 5.1.x. It introduces a number of improvements, and of course
bug fixes.
|
|
|
A denial of service vulnerability has been
found in Fetchmail. It will generate warning messages in certain
circumstances (for instance, when leaving oversized messages on the
server or login to the upstream fails) and send them to the local
postmaster or the user running it. If this warning message is then
refused by the SMTP listener that Fetchmail is forwarding the message
to, Fetchmail crashes and does not collect further messages until it
is restarted. We fixed the problem by applying the recommended patch.
For more information please refer to
http://fetchmail.berlios.de/fetchmail-SA-2007-02.txt
|
|
|
A path traversal flaw has been discovered in the
way GnuTar extracts archives. A malicious user could create a tar
archive that could write to arbitrary files to which the user running
GnuTar has write access. We addressed the problem by upgrading to
revision 1.18 plus the recommended patch.
For more information please refer to
http://www.vuxml.org/freebsd/CVE-2007-4131.html
|
|
|
A weakness in the Bind 8 DNS server has been
discovered which enables "DNS Forgery Pharming". An attacker can
remotely poison the cache of any Bind 8 caching DNS server and force
users who use this DNS server to connect to fraudulent websites each
time they try to access the original websites. We fixed the problem
by applying the recommended patch.
For more information please refer to
http://www.trusteer.com/docs/bind8dns.html
|
|
|
Multiple off-by-one errors in Rsync might allow
remote attackers to execute arbitrary code via directory names that are
not properly handled when calling the f_name function. We fixed the
problem by applying the recommended patch.
For more information please refer to
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4091
|
|
|
|
This maintenance release introduces a number
of bug fixes, improvements and new features.
|
|
|
|
This is a maintenance release which
introduces a number of bug fixes and improvements.
|
|
|
|
We upgraded the various Autoconf and Automake
versions installed in our system to FreeBSD's recently introduced
"New World Order" for these tools. Please note that this is of relevance
only to those who build software by means of a privately installed copy
of the FreeBSD Ports Tree. In this case an update of the files under
'/usr/ports/Mk' is necessary in order to stay compatible, and certain
individual ports may have to be updated as well before the next build.
|
|
|
|
Besides adding some new features this is mainly
a bug fix release.
|
|
|
|
This is a pure bug fix release. There are
no new features.
|
|
|
|
This is a pure bug fix release. There are
no new features.
|
|
|
A security vulnerability has been found in
mod_jk that can be exploited by malicious people to bypass certain
security restrictions. The issue is caused by an error within the
handling of double encoded ".." in URLs. This can be exploited to
bypass certain restrictions and may allow access to pages on the
AJP backend. We fixed the problem by upgrading to revision 1.2.23.
For more information please refer to
http://secunia.com/advisories/25383
http://tomcat.apache.org/security-jk.html
|
|
|
|
This maintenance release, based on a newer
version of Sun's original JRL source code (1.5.0_11) and a matching
new level (p5) of the BSD specific portability patches, introduces
lots of bug fixes and a number of improvements.
|
|
|
Multiple security vulnerabilities have been
found in PHP. We addressed the problem by upgrading to revision 5.2.3,
which also fixes lots of non-security related bugs.
For more information please refer to
http://www.php.net/releases/5_2_3.php
|
|
|
A flaw in the way Mutt processed certain APOP
authentication requests has been discovered. By sending certain responses
when Mutt attempted to authenticate against an APOP server, a remote
attacker could possibly obtain certain portions of the user's
authentication credentials. Another flaw in how Mutt handled certain
characters in GECOS fields could lead to a buffer overflow. A local
user able to give himself a carefully crafted Real Name could
potentially execute arbitrary code if a victim used Mutt to expand
the attacker's alias. We fixed the problem by upgrading to revision
1.4.2.3.
For more information please refer to
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683
|
|
|
|
The new stable branch 5.0.x of Multitail is a
merge between the previous stable branch 4.2.x and development code
from 4.3.x. It introduces a number of improvements, and of course
bug fixes.
|
|
|
|
This is a maintenance release which
introduces numerous bug fixes and improvements.
|
|
|
The DCC or Distributed Checksum Clearinghouse is
an anti-spam content filter. It involves millions of users, tens of
thousands of clients and more than 250 servers collecting and counting
checksums related to more than 300 million mail messages on week days.
The counts can be used by SMTP servers and mail user agents to detect
and reject or filter spam or unsolicited bulk mail. DCC servers exchange
common checksums. The checksums include values that are constant across
common variations in bulk messages, including "personalizations."
The idea of the DCC is that if mail recipients
could compare the mail they receive, they could recognize unsolicited
bulk mail. A DCC server totals reports of checksums of messages from
clients and answers queries about the total counts for checksums of
mail messages. A DCC client reports the checksums for a mail message
to a server and is told the total number of recipients of mail with
each checksum. If one of the totals is higher than a threshold set
by the client and according to local whitelists the message is
unsolicited, the DCC client can log, discard, or reject the message.
In our system, SpamAssassin picks up and uses
the DCC client ('dccproc') automatically if it is present. The default
trigger level is a total count of 999999, which means that even large
mailing lists are unlikely to generate false positives. Besides,
mailing list processing ought to take place before local spam filtering
anyway, since mailing lists are expected to be free of spam already
(mostly at least).
Please note: For a maximum of effectiveness users
with a private copy of SpamAssassin's global config file
'/usr/local/etc/mail/spamassassin/local.cf' may want to sync it with our
default version under '/system/sd/usr/local/etc/mail/spamassassin'.
For more information please refer to
http://www.rhyolite.com/anti-spam/dcc/
|
|
|
An integer signedness error in FreeType might
allow remote attackers to execute arbitrary code via a crafted TTF image
with a negative 'n_points' value, which leads to an integer overflow and
heap-based buffer overflow. We fixed the problem by applying the
recommended patch.
For more information please refer to
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2754
|
|
|
Multiple cross-site scripting (XSS) vulnerabilities
in the HTML filter in SquirrelMail allow remote attackers to inject
arbitrary web script or HTML via the (1) "data:" URI in an HTML e-mail
attachment or (2) various non-ASCII character sets that are not properly
filtered when viewed with Microsoft Internet Explorer. We addressed
the problem by upgrading to revision 1.4.10a, which also contains lots
of other bug fixes and minor improvements.
For more information please refer to
http://www.squirrelmail.org/security/issue/2007-05-09
|
|
|
Since proper support of PHP5, especially 5.2,
has finally materialized in the PHP accelerator we use (eAccelerator),
we are now able to introduce PHP5 at a performance level comparable to
our PHP4 setup. For added security, it comes with the Suhosin
protection system (Hardened-PHP Project) installed, and also a
superset of the extension modules that we already have for PHP4.
A description of how to switch to PHP5 can be
found in our Box Docs, chapter "Web service", section "Web server and
accelerator", module "mod_php5 + eAccelerator". And after enabling
PHP5, a detailed list of all the features is available in the Server
Box Information Area built into your box (item "PHP environment" in
the navigation menu). Note: Users with a private copy of the
Apache config template '/box/bin/httpd.conf.eperl' may want to sync it
with our default version under '/system/sd/box/bin' in order to gain
proper PHP5 support.
|
|
|
The libpng library contains a denial-of-service
vulnerability. An attacker may be able to exploit this vulnerability
by convincing a user to open a specially crafted PNG image. We fixed the problem by upgrading to revision 1.2.18.
For more information please refer to
http://www.kb.cert.org/vuls/id/684664
|
|
|
Multiple security vulnerabilities have been
found in PHP, most of which have been disclosed in the course of the
MOPB (Month of PHP Bugs) campaign. We addressed the problem by
upgrading to revision 4.4.7.
For more information please refer to
http://www.php.net/releases/4_4_7.php
|
|
|
Module 'PerlRun.pm' in mod_perl does not properly
escape PATH_INFO before use in a regular expression, which allows remote
attackers to cause a denial of service (resource consumption) via a
specially crafted URI. We fixed the problem by upgrading to revision
1.30.
For more information please refer to
http://secunia.com/advisories/24839
|
|
|
|
The 6.x branch of ImageMagick has been out for a
while and appears to be sufficiently mature, so we decided to upgrade to
revision 6.3.3.5 at this point. We expect that applications built with
the previous release (5.5.7.36) will continue to run since the new version
is supposed to be compatible at the command line, and the old shared libs
remain available.
|
|
|
A vulnerability involving insecure search_path
settings has been found that allows unprivileged users to gain the SQL
privileges of the owner of any SECURITY DEFINER function they are allowed
to call. Securing such a function requires both a software update and
changes to the function definition. We addressed the server software
side of the problem by upgrading to revision 7.3.19. However, applications
that use the SECURITY DEFINER feature may need to be fixed independently.
For more information please refer to
http://www.postgresql.org/about/news.791
http://www.postgresql.org/docs/techdocs.77
|
|
|
|
This is a maintenance release which
introduces a number of bug fixes and improvements.
|
|
|
|
This maintenance release introduces a number
of bug fixes, improvements and new features.
|
|
|
A weakness in Fetchmail's POP3 client
implementation of the APOP authentication scheme makes it easier
than necessary for man-in-the-middle attackers to retrieve by
several probing and guessing the first three characters of the
APOP secret, bringing brute forcing the remaining characters well
within reach. We fixed this problem by upgrading to revision 6.3.8.
For more information please refer to
http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
|
|
|
A number of fixes and improvements have
accumulated since our last kernel update (almost four months ago),
which we decided to put into production today.
One change worth mentioning is the fix for
a long-standing bug (in all FreeBSD distributions since at least 3.x)
with regard to the initial TCP window size when the connecting peer
uses window scaling. This could result in a short first packet,
which normally does no harm and is just a minor inefficiency.
However, if the connecting program expects the initial message,
for instance an SMTP greeting banner, to fit into a single packet
instead of two this will cause a compatibility issue. Actually
programs exhibiting such behavior can be considered broken, but
they reportedly exist on the Internet. In any case, the problem is
fixed now.
In order to activate the new UNIX kernel we
had to reboot all of our servers. We apologize for the short service
interruption.
|
|
|
|
This maintenance release introduces a number
of bug fixes, improvements and new features.
|
|
|
A security vulnerability has been found in
mod_jk that allows remote attackers to execute arbitrary code.
Authentication is not required to exploit this vulnerability. The
specific flaw exists in the URI handler for the mod_jk.so library,
map_uri_to_worker(), defined in native/common/jk_uri_worker_map.c.
When parsing a long URL request, the URI worker map routine performs
an unsafe memory copy. This results in a stack overflow condition
which can be leveraged to execute arbitrary code. We fixed the
problem by upgrading to revision 1.2.21.
For more information please refer to
http://www.zerodayinitiative.com/advisories/ZDI-07-008.html
|
|
|
|
This release basically addresses the regressions
in 4.4.5 that we already fixed with patches from CVS on 2007-02-19.
|
|
|
Multiple security vulnerabilities have been
found in PHP, including buffer overflows, stack overflows, format
string and information disclosure vulnerabilities. We addressed
the problem by upgrading to revision 4.4.5 plus a number of patches
from CVS that fix accidental regressions.
For more information please refer to
http://www.php.net/releases/4_4_5.php
|
|
|
Besides other bug fixes, this release removes a
security vulnerability that allowed connected users to read backend
memory. This error can easily be exploited to cause a backend crash,
and in principle might be used to read database content that the user
should not be able to access.
For more information please refer to
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0555
|
|
|
|
This is a maintenance release which
introduces numerous bug fixes and improvements.
|
|
|
|
Ncftp 3.2.0 is just a maintenance release
which introduces some minor bug fixes and improvements.
|
|
|
|
The new stable branch 4.2.x of Multitail is a
merge between the previous stable branch 4.0.x and development code
from 4.1.x. It introduces a number of improvements, and of course
bug fixes.
|
|
|
A small number of bugs and security issues have
been addressed in this release.
Please note that since upgrading involves
a database update we have to leave it to our users if and when to
switch revisions. The previous release 2.0.21 (in directory '2.0.21+')
will remain intact. For upgrade instructions please refer to our
"Box Docs", chapter "Web service".
For more information please refer to
http://www.phpbb.com/phpBB/viewtopic.php?t=489624
|
|
|
For the respective set of archived articles,
please select a year:
|
|
|
|
|
