Date: Thu, 9 Sep 1999 06:28:43 -0700 From: "Ron 'The InSaNe One' Rosson" <insane@lunatic.oneinsane.net> To: Bill Fink <bill@billfink.com> Cc: freebsd-security@freebsd.org Subject: Re: FTP Vulnerability Message-ID: <19990909062843.A590@lunatic.oneinsane.net> In-Reply-To: <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA>; from Bill Fink on Thu, Sep 09, 1999 at 09:03:01AM -0400 References: <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 09 Sep 1999, Bill Fink was heard blurting out: > > > I truly apologize, I trust I'm overlooking something here. > > The advisory below states: > > >> Upgrade your wu-ftpd or proftpd > >> ports to the most recent versions > >> (any version after August 30, 1999 > >> is not impacted by this problem). > > I've visited the mirrors for the WUFTP site(s) looking for the versions > "after August 30" and there's NOTHING newer than MAY. > Take a look at the patches in the ports tree for these ports and you will see the changes. > > ============================================================================ > = > FreeBSD-SA-99:03 Security > Advisory > FreeBSD, > Inc. > > Topic: Two ftp daemons in ports vulnerable to attack. > > Category: ports > Module: wu-ftpd and proftpd > Announced: 1999-09-05 > Affects: FreeBSD 3.2 (and earlier) > FreeBSD-current before the correction date. > Corrected: FreeBSD-3.3 RELEASE > FreeBSD-current as of 1999/08/30 > FreeBSD only: NO > > Patches: NONE > > I. Background > > wuftpd and proftpd have a flaw which can lead to a remote root > compromise. They are both vulnerable since they are both based on a > code base that is vulnerable. > > II. Problem Description > > Remote users can gain root via a buffer overflow. > > III. Impact > > Remote users can gain root. > > IV. Workaround > > Disable the ftp daemon until you can upgrade your system. > > V. Solution > > Upgrade your wu-ftpd or proftpd ports to the most recent versions (any > version after August 30, 1999 is not impacted by this problem). If > you are running non-port versions, you should verify that your version > is not vulnerable or upgrade to using the ports version of these > programs. > > ============================================================================ > = > FreeBSD, Inc. > > Web Site: http://www.freebsd.org/ > Confidential contacts: security-officer@freebsd.org > Security notifications: security-notifications@freebsd.org > Security public discussion: freebsd-security@freebsd.org > PGP Key: > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc > > Notice: Any patches in this document may not apply cleanly due to > modifications caused by digital signature or mailer software. > Please reference the URL listed at the top of this document > for original copies of all patches if necessary. > ============================================================================ > = > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------- Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was null and void ------------------------------------------------------------------- Practice random acts of intelligence and senseless acts of self-control. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990909062843.A590>