From owner-freebsd-security Tue Apr 27 9:46:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.rapidsite.net (mail.rapidsite.net [207.158.192.62]) by hub.freebsd.org (Postfix) with SMTP id 7D5E814DD4 for ; Tue, 27 Apr 1999 09:46:52 -0700 (PDT) (envelope-from gryphon@intech.net) Received: from gw1.hway.net (207.158.192.37) by mail.rapidsite.net (RS ver 1.0.2) with SMTP id 21111; Tue, 27 Apr 1999 12:46:42 -0400 (EDT) Message-ID: <3725EB27.58FAC00F@intech.net> Date: Tue, 27 Apr 1999 12:51:51 -0400 From: Coranth Gryphon Reply-To: gryphon@intech.net X-Mailer: Mozilla 4.08 [en] (WinNT; I) MIME-Version: 1.0 To: Fernando Schapachnik Cc: Igor Roshchin , freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd: is there a vulnerability ? (was: Re: limit ftp users to their homedir) References: <199904261540.MAA23971@ns1.sminter.com.ar> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Fernando Schapachnik wrote: > > > wu-ftpd on FreeBSD was not vulnerable > > to the most recent (realpath function) vulnerability due to > > specifics of FreeBSD's implementation of the realpath function. The FreeBSD version (and others with that codebase) are _less_ vulnerable. The problem is with buffer overruns within the WU source, only some of which are in the 'realpath' chunks. > various Unices so I preferred to change to the VR version on > FreeBSD machines also just to have the same software in all the The 'VR' series has now become the 'official' WU line -- we took over where 'Academ' left off. Coming some time in May is the 2.5.0 release of WU-FTPd, with most of the 'VR' pathes (up thru VR17) rolled in, plus additional security fixes. The current VR series is on: ftp://ftp.vr.net/pub/wu-ftpd Soon (when we finish getting organized :-), there will be: http://www.wuftpd.org ftp://ftp.wuftpd.org -coranth ========================================= [gryphon@wuftpd.org, gryphon@freebsd.org] Open Source -- The Only Solution To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message