From owner-doc-jp@jp.freebsd.org  Wed Jul 12 07:54:39 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id HAA40371;
	Wed, 12 Jul 2000 07:54:39 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from smtp02.246.ne.jp (smtp02.246.ne.jp [210.253.192.36])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with SMTP id HAA40366
	for <doc-jp@jp.freebsd.org>; Wed, 12 Jul 2000 07:54:37 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: (qmail 7010 invoked by alias); 12 Jul 2000 07:54:37 +0900
Message-ID: <20000711225437.7009.qmail@smtp.246.ne.jp>
Received: (qmail 7000 invoked from network); 12 Jul 2000 07:54:35 +0900
Received: from tp4hr186.246.ne.jp (HELO localhost) (210.253.193.186)
  by smtp.246.ne.jp with SMTP; 12 Jul 2000 07:54:35 +0900
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000710155719.18646.qmail@smtp.246.ne.jp>
References: <20000705230415.3BA5A37BCFB@hub.freebsd.org>
	<20000710155719.18646.qmail@smtp.246.ne.jp>
X-Mailer: Mew version 1.94.2 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Wed, 12 Jul 2000 07:54:34 +0900
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7530
Subject: [doc-jp 7530] Re: ANNOUNCE: FreeBSD Ports Security Advisory:
 FreeBSD-SA-00:26.popper
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

revised $B:9J,(B:

--- FreeBSD-SA-00-26.BAK	Wed Jul 12 07:44:58 2000
+++ FreeBSD-SA-00-26	Wed Jul 12 07:45:34 2000
@@ -2,11 +2,12 @@
 FreeBSD-SA-00:26                                           Security Advisory
                                                                 FreeBSD, Inc.
 
-Topic:          popper port contains remote vulnerability
+Topic:          popper port contains remote vulnerability [REVISED]
 
 Category:       ports
 Module:         popper
 Announced:      2000-07-05
+Revised:	2000-07-11
 Credits:        Prizm <prizm@RESENTMENT.ORG>
 Affects:        Ports collection.
 Corrected:      2000-05-25
@@ -19,17 +20,18 @@
 
 II.  Problem Description
 
-The popper port, version 2.53 and earlier, incorrectly parses string
+The qpopper port, version 2.53 and earlier, incorrectly parses string
 formatting operators included in part of the email message header. A
 remote attacker can send a malicious email message to a local user
 which can cause arbitrary code to be executed on the server when a POP
 client retrieves the message using the UIDL command. The code is
 executed as the user who is retrieving mail: thus if root reads email
-via POP3 this can lead to a root compromise.
+via POP3 this can lead to a root compromise. This vulnerability is
+not present in qpopper-3.0.2, also available in FreeBSD ports.
 
-The popper port is not installed by default, nor is it "part of
+The qpopper port is not installed by default, nor is it "part of
 FreeBSD" as such: it is part of the FreeBSD ports collection, which
-contains over 3400 third-party applications in a ready-to-install
+contains over 3500 third-party applications in a ready-to-install
 format. The ports collection shipped with FreeBSD 4.0 contains this
 problem since it was discovered after the release, but it was fixed in
 time for FreeBSD 3.5.
@@ -43,29 +45,36 @@
 Remote users can cause arbitrary code to be executed as the retrieving
 user when a POP client retrieves email.
 
-If you have not chosen to install the popper port/package, then
+If you have not chosen to install the qpopper-2.53 port/package, then
 your system is not vulnerable to this problem.
 
 IV.  Workaround
 
-Deinstall the popper port/package, if you you have installed it.
+Deinstall the qpopper-2.53 port/package, if you you have installed it.
 
 V.   Solution
 
 One of the following:
 
-1) Upgrade your entire ports collection and rebuild the popper port.
+1) Upgrade your entire ports collection and rebuild the qpopper port,
+or upgrade to qpopper-3.0.2 available in /usr/ports/mail/popper3.
 
 2) Deinstall the old package and install a new package dated after the
 correction date, obtained from:
 
-ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/popper-2.53.tar.gz
-ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/popper-2.53.tar.gz
-ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/popper-2.53.tar.gz
-ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/popper-2.53.tar.gz
-ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/popper-2.53.tar.gz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/qpopper-2.53.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/qpopper-2.53.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/qpopper-2.53.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/qpopper-2.53.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/qpopper-2.53.tgz
+
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/qpopper3-3.0.2.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/qpopper3-3.0.2.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/qpopper3-3.0.2.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/qpopper3-3.0.2.tgz
+ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/qpopper3-3.0.2.tgz
 
-3) download a new port skeleton for the popper port from:
+3) download a new port skeleton for the qpopper port from:
 
 http://www.freebsd.org/ports/
 
@@ -76,3 +85,9 @@
 package can be obtained from:
 
 ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz
+
+VI.   Revision History
+
+v1.0  2000-07-05  Initial release
+v1.1  2000-07-11  Correct URL of qpopper-2.53 package and note availability of
+                  qpopper3-3.0.2. Update size of ports collection.

----
$B$3$,$h$&$$$A$m$&(B
