From owner-freebsd-announce Wed Sep 15 20:47:17 1999 Delivered-To: freebsd-announce@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id DE70A152B5; Wed, 15 Sep 1999 20:47:05 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA75578; Wed, 15 Sep 1999 21:47:04 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: (from root@localhost) by harmony.village.org (8.9.3/8.8.3) id VAA18397; Wed, 15 Sep 1999 21:46:28 -0600 (MDT) Date: Wed, 15 Sep 1999 21:46:28 -0600 (MDT) Message-Id: <199909160346.VAA18397@harmony.village.org> From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd REISSUED Reply-To: security-officer@freebsd.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-99:03 Security Advisory FreeBSD, Inc. Topic: Three ftp daemons in ports vulnerable to attack. Category: ports Module: wu-ftpd and proftpd Announced: 1999-09-05 Reissued: 1999-09-15 Affects: FreeBSD 3.2 (and earlier) FreeBSD-current and -stable before the correction date. Corrected: FreeBSD-3.3 RELEASE FreeBSD as of 1999/08/30 for wuftpd only (Note: there is only one ports tree which is shared with all FreeBSD branches, so if you are running a -stable version of FreeBSD you will also be impacted.) FreeBSD only: NO Bugtraq Id: proftpd: 612 Patches: NONE I. Background wuftpd, beroftpd and proftpd are all optional portions of the system designed to replace the stock ftpd on a FreeBSD system. They are written and maintained by third parties and are included in the FreeBSD ports collection. II. Problem Description There are different security problems which can lead to remote root access in these ports or packages. The standard ftp daemon which ships with FreeBSD is not impacted by either of these problems. III. Impact Remote users can gain root. IV. Workaround Disable the ftp daemon until you can upgrade your system, or use the stock ftpd that comes with FreeBSD. V. Solution Upgrade your wu-ftpd port to the version in the cvs repository after August 30, 1999. If you are not using the wu-ftpd port, then you should visit their web site and follow instructions there to patch your existing version. beroftpd, which was listed in the original wu-ftpd group's advisory as having a similar problem, has not been corrected as of September 15, 1999. It will not be in the 3.3 release. The port has been marked forbidden and will remain so until the security problems have been corrected. If you are running beroftpd you are encouraged to find if patches are available for it which corrects these problems before enabling it on your system. proftpd, which had different security problems, has not been updated to a safe version as of September 15, 1999. It will not be in the 3.3 release. It will not be in the 3.3 release. The port has been marked forbidden and will remain so until the security problems have been corrected. If you are running proftpd, you are encouraged to find out if there are patches which correct these problems before reenabling it on your system. The previous advisory suggested that any FreeBSD ports version of proftpd after August 30 had the security problems corrected. This has proven to not be the case and was the primary reason for reissuing this advisory. While reissuing the advisory, we added beroftpd since it shares a code history with wu-ftpd. The original advisory mistakenly asserted that proftpd also shared a code history with wuftpd, which is not the case. VI. Credits and Pointers The wu-ftpd advisory can be found at ftp://ftp.wu-ftpd.org/pub/wu-ftpd/2.5.0.Security.Update.asc ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN+BmhFUuHi5z0oilAQFlOAQAiU3kAPurRruiFGfG33OsM3ni86HFpKPZ Hb9pINkP9Fu8qdKD/JKYYSxCLRhJLoqojSHXXpVvhJUOQx+1RVaiVCVNvZhV0ypx 0M/+VEg1IpusbxkTRbNFE6cUrMwAiHvbZepYp41slTiA2MwDV7cqX1yvv1InGU1z HSfQSOB/Kfs= =NPAs -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message