From owner-freebsd-security  Sat Sep 11  9:58:25 1999
Delivered-To: freebsd-security@freebsd.org
Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179])
	by hub.freebsd.org (Postfix) with ESMTP id 2B11214E1F
	for <freebsd-security@freebsd.org>; Sat, 11 Sep 1999 09:58:21 -0700 (PDT)
	(envelope-from fbsd-security@ursine.com)
Received: from michael (lambda.ursine.com [209.133.45.69])
	by quaggy.ursine.com (8.9.2/8.9.3) with ESMTP id JAA12195
	for <freebsd-security@freebsd.org>; Sat, 11 Sep 1999 09:58:21 -0700 (PDT)
Message-ID: <199909110958210710.0AC9822F@quaggy.ursine.com>
In-Reply-To: <199909110418.WAA12288@harmony.village.org>
References: <7011ACE3864AD31183E50008C7FA081F01D4C2@ISIMAIN>
 <199909110418.WAA12288@harmony.village.org>
X-Mailer: Calypso Version 3.00.00.13 (2)
Date: Sat, 11 Sep 1999 09:58:21 -0700
From: "Michael Bryan" <fbsd-security@ursine.com>
To: freebsd-security@freebsd.org
Subject: Re: Concerning Latest FTPD exploit: FreeBSD Security
  Advisory: FreeBS D-SA-99:03.ftpd
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Wu-ftpd is
>exploitable back to the dawn of time, if I read the commentary about
>wu-ftpd right.

I'm fairly certain that wu-ftpd is only exploitable with the
VR-serious of patches to 2.4.2, and later with 2.5.0.  The
stock 2.4.2 wu-ftpd (a little over one year old now) is not
exploitable, although the beta versions of 2.4.2 had another
exploit that affected them.  I don't recall off-hand which
branch of wu-ftpd has been included in the FreeBSD ports.

The following text is from the wu-ftpd security announcement at
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/2.5.0.Security.Update.asc :


    Versions known to be effected are:

        wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
        wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17
        wu-ftpd-2.5.0

        BeroFTPD, all present versions

        Other derivatives of wu-ftpd may be effected.  See the workarrounds
        (section 3.3) to determine if a derivative is vulnerable.

    Versions know to be not effected are:

        NcFTPd, all versions.
        wu-ftpd-2.4.2 (final, from Academ)
        All Washington University versions.

        (Please note: ALL versions of WU-FTPD prior to
         wu-ftpd-2.4.2-beta-18-vr10 including all WU versions, and all
         Academ 2.4.1 and 2.4.2 betas, are vulnerable to a remote user
         root-leveraging attack. See CERT Advisory CA-99-03 'FTP Buffer
         Overflows' at
         http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html
         and section 3.2)


Michael Bryan
fbsd-security@ursine.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message