Date: Thu, 9 Sep 1999 17:09:40 +0300 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: "Rashid N. Achilov" <shelton@sentry.granch.ru> Cc: Bill Fink <bill@billfink.com>, security@FreeBSD.ORG Subject: Re: FTP Vulnerability Message-ID: <19990909170940.B51179@relay.ucb.crimea.ua> In-Reply-To: <Pine.BSF.4.10.9909092051490.59511-100000@sentry.granch.ru>; from Rashid N. Achilov on Thu, Sep 09, 1999 at 08:54:08PM %2B0700 References: <19990909162255.A15548@relay.ucb.crimea.ua> <Pine.BSF.4.10.9909092051490.59511-100000@sentry.granch.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 09, 1999 at 08:54:08PM +0700, Rashid N. Achilov wrote: > On Thu, 9 Sep 1999, Ruslan Ermilov wrote: > > > > I've visited the mirrors for the WUFTP site(s) looking for the versions > > > "after August 30" and there's NOTHING newer than MAY. > > > > > The versions we are talking about refer to the FreeBSD ports collection. > > Port of wu-ftpd (/usr/ports/net/wu-ftpd) has been upgraded to apply the > > following patch: > > > > ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/mapped.path.overrun.patch > > On this site mapped.overrun... dated August,24. > In ports tree in patches subdir newest patch dated April,7 :-) > Grr... Advisory refers to version of the FreeBSD port after 1999/08/30: :RCS file: /home/ncvs/ports/ftp/wu-ftpd/Makefile,v :head: 1.30 :---------------------------- :revision 1.29 :date: 1999/08/30 19:14:03; author: cpiazza; state: Exp; lines: +4 -1 ^^^^^^^^^^ :Add a PATCH_FILE to close a security hole in wu-ftpd. : :Quoted from wu-ftpd group's accouncement: : : Due to insufficient bounds checking on directory name lengths which can : be supplied by users, it is possible to overwrite the static memory : space of the wu-ftpd daemon while it is executing under certain : configurations. By having the ability to create directories and : supplying carefully designed directory names to the wu-ftpd, users may : gain privileged access. : :PR: 13475 :Submitted by: jack@germanium.xtalwind.net :============================================================================= -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990909170940.B51179>