From owner-freebsd-security  Sun Jun  8 20:30:30 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id UAA01130
          for security-outgoing; Sun, 8 Jun 1997 20:30:30 -0700 (PDT)
Received: from implode.root.com (implode.root.com [198.145.90.17])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA01125
          for <security@FreeBSD.ORG>; Sun, 8 Jun 1997 20:30:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by implode.root.com (8.8.5/8.8.5) with SMTP id UAA00434;
	Sun, 8 Jun 1997 20:31:07 -0700 (PDT)
Message-Id: <199706090331.UAA00434@implode.root.com>
X-Authentication-Warning: implode.root.com: localhost [127.0.0.1] didn't use HELO protocol
To: Mark Rollings <darkstar@telcentral.net>
cc: yossman <yossman@yoss.canweb.net>, security@FreeBSD.ORG
Subject: Re: ftpd security weakness on FreeBSD (fwd) 
In-reply-to: Your message of "Sun, 08 Jun 1997 21:03:28 EDT."
             <3.0.32.19970608210325.009c66a0@mail.telcentral.net> 
From: David Greenman <dg@root.com>
Reply-To: dg@root.com
Date: Sun, 08 Jun 1997 20:31:07 -0700
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

>Above any of the below mentioned deficiencies in the ftpd, CERT recently
>released an advisory on the ftpd for practically all OS's.  The replacement
>mentioned below is not satisfactory in order to properly prevent attacks
>covered in the advisory.  wu-ftp-2.4.2-beta-13 is the correct ftpd to
>compile for FreeBSD based machines.  The advisory can be found in complete
>form at CERT.   www.cert.org.

   The bug I think you're refering to was fixed in FreeBSD prior to the CERT
announcement - I was the one who found the bug and alerted CERT and
AUSCERT. ...but yes, your advice to avoid pre-beta13 is very important.

-DG

David Greenman
Core-team/Principal Architect, The FreeBSD Project