From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 15:41:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDB7437B47A for ; Thu, 31 Jul 2003 15:41:10 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CF5543FB1 for ; Thu, 31 Jul 2003 15:40:33 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 3C46554840; Thu, 31 Jul 2003 17:40:17 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id C2CA16D455; Thu, 31 Jul 2003 17:40:16 -0500 (CDT) Date: Thu, 31 Jul 2003 17:40:16 -0500 From: "Jacques A. Vidrine" To: John Fox Message-ID: <20030731224016.GA91355@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , John Fox , freebsd-security@freebsd.org References: <20030731183553.GA85469@mind.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030731183553.GA85469@mind.net> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 22:41:18 -0000 On Thu, Jul 31, 2003 at 11:35:53AM -0700, John Fox wrote: > Hello, > > I see in BugTraq that there's yet another problem with Wu-ftpd, but I see > no mention of it in the freebsd-security mailing list archives...I have > searched the indexes from all of June and July. > > Wu is pretty widely used, so I'm surprised that nobody seems to have > mentioned this problem in this forum. > > The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no > reason to assume that FreeBSD machines aren't vulnerable, too. Which is > why I am confused as to the lack of discussion of this matter. > > Can anyone shed some light on this? Hmm. The issue was scheduled to be made public at 12:00 pm EDT today. Daniel Harris committed the fix to the FreeBSD Ports Collection around 12:07 pm EDT today. This issue will be rolled into the next FreeBSD Security Notice (probably Monday --- serious problems like this tend to `trigger' a notice). If you want to bitch at someone, bitch at the wu-ftpd.org guys for ignoring the reported bug for two months. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se