
Hi, the FreeBSD has recently issued two security warnings concerning PINE 4.21 SA-00:47: pine4 port allows denial of service SA-00:59: pine4 port contains remote vulnerability ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:47.pine.asc http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fthrea... and on the pine site they claim that they fixed these security related bugs in 4.30. | Bugs that have been addressed in this release include: | | * Incoming mail with an extremely long From address can cause a | buffer overflow on the stack (security) | * X-Keywords crash for unix formatted mailboxes | * Pine crashes when replying to or forwarding messages with certain | types of attachments Can we expect an update or is SuSE's 4.21-123 not vulnerable to either bugs. Tobias

Actually even more amusing is pine in the ports tree in OpenBSD, it is marked as broken and by default you cannot compile it unless you edit a line out of the makefile =) It's amazing how bad a track record WU has (WU-IMAPD, WU-FTPD, Pine...). Kurt

On Tue, Oct 31, 2000 at 01:41:08PM -0700, Kurt Seifried wrote:
Actually even more amusing is pine in the ports tree in OpenBSD, it is marked as broken and by default you cannot compile it unless you edit a line out of the makefile =) It's amazing how bad a track record WU has (WU-IMAPD, WU-FTPD, Pine...).
The unfortunate history of security bugs of these products is well known, please let me however point out that: UW-imapd and pine are from UW = University of Washington WU-ftpd is from WU = Western University of St Louis (wustl) As far as I know, there is no relation between these products or their authors. Best regards, Lutz PS. WU-ftpd is by now maintained by an independent group no longer related to wustl. -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153

Actually even more amusing is pine in the ports tree in OpenBSD, it is marked as broken and by default you cannot compile it unless you edit a line out of the
Yes... :-) Theo DeRaadt is painless in these matters. I'm under the strong impression that he doesn't like compromises...
makefile =) It's amazing how bad a track record WU has (WU-IMAPD, WU-FTPD, Pine...).
Sad but true. However, due to the great user friendlyness of the pine program as well as the strong portability, the user base of it is very large.
Kurt
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

ISTR seeing a recent security advisory about about a hole in php4. Is SuSE going to publish an update in the near future, or do I need to get it from the php site? I'm not going to be using this for production for another month or so, so I don't need it urgently, and if SuSE is planning an update, I'd rather wait :) Alan Lenton

Hi Alan, AL> ISTR seeing a recent security advisory about about a hole in php4. Is SuSE AL> going to publish an update in the near future, or do I need to get it from AL> the php site? This seems to be fixed: 17 Oct 2000 mod_php4 848 kB mod_php4 4.0.3pl1: Security update to mod_php4 - update recommended Source: mod_php4-4.0.3pl1-1.src.rpm [ http://www.suse.com/en/support/download/updates/70_i386.html ] Kind regards, Andreas -- Andreas Otto OgilvyInteractive | Floor 2, Canberra House 315 - 317 Regent Street | London W1B 2HS Reception +44 207 299 3434 | Fax +44 207 631 5050 http://www.ogilvy.com

Oh... I was looking at: http://www.suse.com/en/support/download/updates/70_update.html that's very confusing! Thanks for putting me right. Alan ----- Original Message ----- From: "Andreas Otto" <andreas@noho.co.uk> To: "Alan Lenton" <alan@ibgames.com> Cc: "SuSE Security" <suse-security@suse.com> Sent: Wednesday, November 01, 2000 9:25 AM Subject: Re: [suse-security] PHP4
Hi Alan,
AL> ISTR seeing a recent security advisory about about a hole in php4. Is SuSE AL> going to publish an update in the near future, or do I need to get it from AL> the php site?
This seems to be fixed:
17 Oct 2000 mod_php4 848 kB mod_php4 4.0.3pl1: Security update to mod_php4 - update recommended Source: mod_php4-4.0.3pl1-1.src.rpm [ http://www.suse.com/en/support/download/updates/70_i386.html ]
Kind regards, Andreas
-- Andreas Otto OgilvyInteractive | Floor 2, Canberra House 315 - 317 Regent Street | London W1B 2HS Reception +44 207 299 3434 | Fax +44 207 631 5050 http://www.ogilvy.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

This seems to be fixed:
We're currently testing the apache package. Unfortunately, it's not trivial, and it needs thorough testing before we can say we have a security update. But anyway, this should work, yes. Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

Can we expect an update or is SuSE's 4.21-123 not vulnerable to either bugs.
Tobias
Lenz has built a new package that is being tested right now. I don't even know if all bugs were fixed (I think that there are more than this one bug that has been mentioned in the advisory) - digging into the code was somewhat confusing at times. I'll ask him if he wants to publish it for testing. Of course you will see an updated package. As soon as we have it and we can see that it's working just as good the 4.21 version. Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
participants (6)
-
Alan Lenton
-
Andreas Otto
-
Kurt Seifried
-
Lutz Jaenicke
-
Roman Drahtmueller
-
Tobias Burnus