From owner-freebsd-questions Thu May 2 14:11:10 2002 Delivered-To: freebsd-questions@freebsd.org Received: from kpax.icsmx.com (kpax.icsmx.com [200.33.246.13]) by hub.freebsd.org (Postfix) with ESMTP id 3DFC837B400 for ; Thu, 2 May 2002 14:11:02 -0700 (PDT) Received: from piii.intranet.com.mx ([200.33.246.4]) by kpax.icsmx.com (8.11.6/8.11.6) with ESMTP id g42L8XV08826 for ; Thu, 2 May 2002 16:08:33 -0500 (CDT) (envelope-from jbiquez@icsmx.com) Message-Id: <5.1.0.14.2.20020502160148.03248c50@icsmx.com> X-Sender: jbiquez@icsmx.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 02 May 2002 16:09:04 -0500 To: freebsd-questions@FreeBSD.ORG From: Jorge Biquez Subject: FTP on 4.4.STABLE with problems? Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_18609797==_.ALT" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=====================_18609797==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Hello all. On the company I'm working a client asked for a server for their simple and plain web pages. They asked for an FTP account and Apache configured. They have been working without problems. Since last month a new area of the IT department is "auditing" the server remotely and are asking for fixing the things they found wrong (or they believe it is wrong). According to them the FTP that is running by default on the 4.4.-STABLE version has problems. "Their automated report says it". I'm including the message they sent me at the end of this email. Any similar experiences on this? What have you done with clients like this that think that "the server they ordered to configure is wrong configured"?. Does the FTP really need to be fixed? Thanks in advance for your comments on the FTP issue also. Jorge Biquez -------This is what they sent me as result of their auditing----- FTPD glob Heap Corruption ftp (21/tcp) You seem to be running an FTP server which is vulnerable to the 'glob heap corruption' flaw. An attacker may use this problem to execute arbitrary commands on this host. *** As Nessus solely relied on the banner of the server to issue this warning, *** so this alert might be a false positive Solution : Upgrade your ftp server software to the latest version. Risk factor : High CVE : CAN-2001-0550 Related Security Advisory Cross Reference(s) Common Vulnerability Exposure (CVE) ID: CAN-2001-0550 http://www.securityfocus.com/archive/82/180823 Bugtraq mailing list: 20011128 CORE-20011001: Wu-FTP glob heap corruption vulnerability http://marc.theaimsgroup.com/?l=bugtraq&m=100700363414799&w=2 Cert/CC Advisory: CA-2001-33 http://www.cert.org/advisories/CA-2001-33.html CERT/CC vulnerability note: VU#886083 http://www.kb.cert.org/vuls/id/886083 RedHat Security Advisories: RHSA-2001-157 http://www.redhat.com/support/errata/RHSA-2001-157.html Caldera Security Advisory: CSSA-2001-041.0 http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-090.php3 HPdes Security Advisory: HPSBUX0107-162 ISS Security Advisory: 20011129 WU-FTPD Heap Corruption Vulnerability BugTraq ID: 3581 http://www.securityfocus.com/bid/3581 ------------------------------------------------- --=====================_18609797==_.ALT Content-Type: text/html; charset="us-ascii" Hello all.

On the company I'm working a client asked for a server for their simple and plain web pages. They asked for an FTP account and Apache configured. They have been working without problems. Since last month a new area of the IT department is "auditing" the server remotely and are asking for fixing the things they found wrong (or they believe it is wrong). According to them the FTP that is running by default on the 4.4.-STABLE version has problems. "Their automated report says it". I'm including the message they sent me at the end of this email.
Any similar experiences on this?
What have you done with clients like this that think that "the server they ordered to configure is wrong configured"?.
Does the FTP really need to be fixed?

Thanks in advance for your comments on the FTP issue also.

Jorge Biquez


-------This is what they sent me as result of their auditing-----
FTPD glob Heap Corruption
ftp (21/tcp)
You seem to be running an FTP server which is vulnerable to the
'glob heap corruption' flaw.
An attacker may use this problem to execute arbitrary commands on this host.

*** As Nessus solely relied on the banner of the server to issue this warning,
*** so this alert might be a false positive

Solution : Upgrade your ftp server software to the latest version.
Risk factor : High

CVE : CAN-2001-0550
Related Security Advisory Cross Reference(s)
Common Vulnerability Exposure (CVE) ID: CAN-2001-0550
http://www.securityfocus.com/archive/82/180823
Bugtraq mailing list: 20011128 CORE-20011001: Wu-FTP glob heap corruption vulnerability
http://marc.theaimsgroup.com/?l=bugtraq&m=100700363414799&w=2
Cert/CC Advisory: CA-2001-33
http://www.cert.org/advisories/CA-2001-33.html
CERT/CC vulnerability note: VU#886083
http://www.kb.cert.org/vuls/id/886083
RedHat Security Advisories: RHSA-2001-157
http://www.redhat.com/support/errata/RHSA-2001-157.html
Caldera Security Advisory: CSSA-2001-041.0
http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-090.php3
HPdes Security Advisory: HPSBUX0107-162
ISS Security Advisory: 20011129 WU-FTPD Heap Corruption Vulnerability
BugTraq ID: 3581
http://www.securityfocus.com/bid/3581
-------------------------------------------------
--=====================_18609797==_.ALT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message