From owner-freebsd-security Mon Apr 26 8:29: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (Postfix) with ESMTP id 821D21514C for ; Mon, 26 Apr 1999 08:29:05 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id KAA17354 for freebsd-security@FreeBSD.ORG; Mon, 26 Apr 1999 10:29:04 -0500 (CDT) From: Igor Roshchin Message-Id: <199904261529.KAA17354@alecto.physics.uiuc.edu> Subject: wu-ftpd: is there a vulnerability ? (was: Re: limit ftp users to their homedir) To: freebsd-security@FreeBSD.ORG Date: Mon, 26 Apr 1999 10:29:04 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Time to time somebody mentions that the current version of the wu-ftpd is vulnerable (e.g. see below). Unless I missed something, there was no postings about that on this (freebsd-security) mailing list about that. Also, as it was explained earlier (sorry, I don't remember who it was, probably Satoshi Asami ?) wu-ftpd on FreeBSD was not vulnerable to the most recent (realpath function) vulnerability due to specifics of FreeBSD's implementation of the realpath function. So, I hope that either Warner Losh, or Satoshi Asami, or Andrey Chernov can confirm the current state of the wu-ftpd port. Also, it would be really helpful (I asked this earlier but it was not noticed) to know what was the latest vulnerable version of wu-ftpd on FreeBSD ? Regards, Igor ----- Forwarded message from Fernando Schapachnik ----- I use wu-ftpd for this and works nice. I also has some other features. There is and exploit for the current version -I think it keeps on being the current- so you can get wu-ftpd-VR from another vendor. Sorry I don't recall the URL, but you can find it easily on the Web. <..> ----- End of forwarded message from Fernando Schapachnik ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message