Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 Oct 1999 18:22:36 -0700
From:      "Michael Bryan" <fbsd-security@ursine.com>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: CERT CA-99.13
Message-ID:  <199910201822360100.19F76012@quaggy.ursine.com>
In-Reply-To: <Pine.BSF.4.10.9910201712490.59119-100000@hub.freebsd.org>
References:  <Pine.BSF.4.10.9910201712490.59119-100000@hub.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

On 10/20/99 at 5:13 PM Kris Kennaway wrote:
>On Wed, 20 Oct 1999, Kelsey Cummings wrote:
>> Is the WU-FTPD port in /ftp/wu-ftpd with makefile dated 09/03 vulnerable=
 as
>> described in the CERT notice?  It wouldn't appear so since its dated=
 later
>> than august 30th but I wanted to double check.
>
>See the FreeBSD security advisory:
>
>http://www.freebsd.org/security/#adv

That does not cover the latest CERT notice.  There have been
additional vulnerabilities found in all versions of wu-ftpd
prior to 2.6.0, which was just released.  The most recent
CERT notice describes three vulnerabilities, only one of
which is addressed in the FreeBSD advisory.

The information in the CERT announcement (available at
http://www.cert.org/advisories/CA-99-13-wuftpd.html) seems
to be potentially wrong in regards to the FreeBSD information,
for the following reason.  Under the WU-FTPD section of
the CERT announcement, it says the following regarding
Vulnerabilities #2 and #3:

    Not vulnerable:
        wu-ftpd-2.6.0

    Vulnerable:
        All versions of wuarchive-ftpd and wu-ftpd prior to
        version 2.6.0, from wustl.edu, academ.com, vr.net
        and wu-ftpd.org.
        BeroFTPD, all versions

Yet the FreeBSD section says this:

    FreeBSD has updated its wuftpd and proftpd ports to
    correct this problem as of August 30, 1999. Users of
    these ports are encouraged to upgrade their installation
    to these newer versions of these ports as soon as possible.

That information seems to apply to -only- Vulnerability #1 in
the CERT announcement.  I seriously doubt that the FreeBSD port
of wuftpd was corrected on 8/30/99, since 2.6.0 was not out
at that time.  (Unless the port includes a patch for the other
two problems, which I doubt.)  If I'm correct, then the FreeBSD
port is still vulnerable until such time that it's upgraded for
wuftpd 2.6.0.  The /pub/FreeBSD/ports/distfiles directory only
has up to version 2.5.0.

Can somebody with definite detailed knowledge of the wuftpd
port confirm or deny my suspicions?


Michael Bryan
fbsd-security@ursine.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199910201822360100.19F76012>