Date: Tue, 7 Sep 1999 10:20:19 -0600 (MDT) From: FreeBSD Security Officer <security-officer@freebsd.org> To: security-officer@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd Message-ID: <199909071620.KAA13314@harmony.village.org>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-99:03 Security Advisory
FreeBSD, Inc.
Topic: Two ftp daemons in ports vulnerable to attack.
Category: ports
Module: wu-ftpd and proftpd
Announced: 1999-09-05
Affects: FreeBSD 3.2 (and earlier)
FreeBSD-current before the correction date.
Corrected: FreeBSD-3.3 RELEASE
FreeBSD-current as of 1999/08/30
FreeBSD only: NO
Patches: NONE
I. Background
wuftpd and proftpd have a flaw which can lead to a remote root
compromise. They are both vulnerable since they are both based on a
code base that is vulnerable.
II. Problem Description
Remote users can gain root via a buffer overflow.
III. Impact
Remote users can gain root.
IV. Workaround
Disable the ftp daemon until you can upgrade your system.
V. Solution
Upgrade your wu-ftpd or proftpd ports to the most recent versions (any
version after August 30, 1999 is not impacted by this problem). If
you are running non-port versions, you should verify that your version
is not vulnerable or upgrade to using the ports version of these
programs.
=============================================================================
FreeBSD, Inc.
Web Site: http://www.freebsd.org/
Confidential contacts: security-officer@freebsd.org
Security notifications: security-notifications@freebsd.org
Security public discussion: freebsd-security@freebsd.org
PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=============================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAwUBN9MsfFUuHi5z0oilAQHKYQP/SGjOSQ8Ph8VqLtpStVOl6L0ocoYKv59R
B6ow00bchILYV7qlsIGFhwMITZxZH0aGd0EAxwfFKwfvu36zSzAvu1rGrFCjT5Xd
zefzAQUgj1/rWm3Jp1DxMd2BKCJrvTCOjKngIbbA2tH3AZ9xHiwefpqtIHVPikmy
XR9gpyqCj/E=
=dyHS
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security-notifications" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909071620.KAA13314>