From owner-freebsd-security Thu Sep 9 6: 2:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from exchange1.billfink.com (exchange1.billfink.com.247.64.63.IN-ADDR.ARPA [63.64.247.93]) by hub.freebsd.org (Postfix) with ESMTP id 9F28215133 for ; Thu, 9 Sep 1999 06:02:38 -0700 (PDT) (envelope-from bill@billfink.com) Received: by exchange1.billfink.com.247.64.63.IN-ADDR.ARPA with Internet Mail Service (5.5.2448.0) id ; Thu, 9 Sep 1999 09:03:02 -0400 Message-ID: <51D35DCFD7B0D21189440040333985C0013853@exchange1.billfink.com.247.64.63.IN-ADDR.ARPA> From: Bill Fink To: "'freebsd-security@freebsd.org'" Subject: FTP Vulnerability Date: Thu, 9 Sep 1999 09:03:01 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I truly apologize, I trust I'm overlooking something here. The advisory below states: >> Upgrade your wu-ftpd or proftpd >> ports to the most recent versions >> (any version after August 30, 1999 >> is not impacted by this problem). I've visited the mirrors for the WUFTP site(s) looking for the versions "after August 30" and there's NOTHING newer than MAY. Regards, Bill -----BEGIN PGP SIGNED MESSAGE----- ============================================================================ = FreeBSD-SA-99:03 Security Advisory FreeBSD, Inc. Topic: Two ftp daemons in ports vulnerable to attack. Category: ports Module: wu-ftpd and proftpd Announced: 1999-09-05 Affects: FreeBSD 3.2 (and earlier) FreeBSD-current before the correction date. Corrected: FreeBSD-3.3 RELEASE FreeBSD-current as of 1999/08/30 FreeBSD only: NO Patches: NONE I. Background wuftpd and proftpd have a flaw which can lead to a remote root compromise. They are both vulnerable since they are both based on a code base that is vulnerable. II. Problem Description Remote users can gain root via a buffer overflow. III. Impact Remote users can gain root. IV. Workaround Disable the ftp daemon until you can upgrade your system. V. Solution Upgrade your wu-ftpd or proftpd ports to the most recent versions (any version after August 30, 1999 is not impacted by this problem). If you are running non-port versions, you should verify that your version is not vulnerable or upgrade to using the ports version of these programs. ============================================================================ = FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================ = -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN9MsfFUuHi5z0oilAQHKYQP/SGjOSQ8Ph8VqLtpStVOl6L0ocoYKv59R B6ow00bchILYV7qlsIGFhwMITZxZH0aGd0EAxwfFKwfvu36zSzAvu1rGrFCjT5Xd zefzAQUgj1/rWm3Jp1DxMd2BKCJrvTCOjKngIbbA2tH3AZ9xHiwefpqtIHVPikmy XR9gpyqCj/E= =dyHS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message