From owner-freebsd-security Sat Jun 24 23:40:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 8361937B5B4 for ; Sat, 24 Jun 2000 23:40:50 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 24524 invoked by uid 1000); 25 Jun 2000 06:40:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jun 2000 06:40:47 -0000 Date: Sun, 25 Jun 2000 01:40:47 -0500 (CDT) From: Mike Silbersack To: Koga Youichirou Cc: wollman@khavrinen.lcs.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: <20000624013253.13473.qmail@smtp.246.ne.jp> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 24 Jun 2000, Koga Youichirou wrote: > Garrett Wollman : > > Here's a patch (mangled by cut&paste) which hacks around the problem. > > Debian team has already released a fixed package. > A patch is available from: > > http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0-5.1.diff.gz > > Then I checked it and I found that there are some other undesirable > codes in ftpd.c. Probably these codes do not lead to security flaw, > but I think that they should be corrected. I'm sure that's what the people who fixed the last set of bugs in wuftpd said when they came upon the bugs which comprise the current vuln. (But decided not to fix them.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message