From owner-freebsd-security Wed Oct 20 18:22:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 6232714CAC; Wed, 20 Oct 1999 18:22:36 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.3) with ESMTP id SAA40410; Wed, 20 Oct 1999 18:22:31 -0700 (PDT) Message-ID: <199910201822360100.19F76012@quaggy.ursine.com> In-Reply-To: References: X-Mailer: Calypso Version 3.00.00.13 (2) Date: Wed, 20 Oct 1999 18:22:36 -0700 From: "Michael Bryan" To: freebsd-security@FreeBSD.ORG Subject: Re: CERT CA-99.13 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 10/20/99 at 5:13 PM Kris Kennaway wrote: >On Wed, 20 Oct 1999, Kelsey Cummings wrote: >> Is the WU-FTPD port in /ftp/wu-ftpd with makefile dated 09/03 vulnerable= as >> described in the CERT notice? It wouldn't appear so since its dated= later >> than august 30th but I wanted to double check. > >See the FreeBSD security advisory: > >http://www.freebsd.org/security/#adv That does not cover the latest CERT notice. There have been additional vulnerabilities found in all versions of wu-ftpd prior to 2.6.0, which was just released. The most recent CERT notice describes three vulnerabilities, only one of which is addressed in the FreeBSD advisory. The information in the CERT announcement (available at http://www.cert.org/advisories/CA-99-13-wuftpd.html) seems to be potentially wrong in regards to the FreeBSD information, for the following reason. Under the WU-FTPD section of the CERT announcement, it says the following regarding Vulnerabilities #2 and #3: Not vulnerable: wu-ftpd-2.6.0 Vulnerable: All versions of wuarchive-ftpd and wu-ftpd prior to version 2.6.0, from wustl.edu, academ.com, vr.net and wu-ftpd.org. BeroFTPD, all versions Yet the FreeBSD section says this: FreeBSD has updated its wuftpd and proftpd ports to correct this problem as of August 30, 1999. Users of these ports are encouraged to upgrade their installation to these newer versions of these ports as soon as possible. That information seems to apply to -only- Vulnerability #1 in the CERT announcement. I seriously doubt that the FreeBSD port of wuftpd was corrected on 8/30/99, since 2.6.0 was not out at that time. (Unless the port includes a patch for the other two problems, which I doubt.) If I'm correct, then the FreeBSD port is still vulnerable until such time that it's upgraded for wuftpd 2.6.0. The /pub/FreeBSD/ports/distfiles directory only has up to version 2.5.0. Can somebody with definite detailed knowledge of the wuftpd port confirm or deny my suspicions? Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message