After installing redhat4.1 I found that a few serious bug fixes
announced in Jan 97 was not included in the distribution.
First of them -- a SERIOUS SECURITY BUG in wu-ftpd allowing
any user gain a root acces to files. Patch was posted in redhat-announce
list and included in wu-ftpd-2.4.2b11-9.
Second: a bug in wu-ftpd -- ftpd doesn''t perform any log for real user
and ignores corresponding lines in ftpaccess configuration file.
Patch was posted in redhat-devel.
These two patches are placed in
ftp://shade.msu.ru/pub/linux/utils/wu-ftpd-2.4.2-secure+log.patch
Third: a bug in cracklib, which in certain conditions forces pam_unix_passwd
module to cause segmentation fault instead of authentication (in lucky case)
and performs random memory operations in other cases.
This bu also can be used in attempts to break system security
because one of affected program (passwd) is root-setuid.
Patch was posted in redhat-announce list and can be obtained from
ftp://shade.msu.ru/pub/linux/libs/cracklib25_small.bugfix.patch
Andrey V.
Savochkin
