FreeBSD Security Officer
1999-Sep-07 09:22 UTC
FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd
-----BEGIN PGP SIGNED MESSAGE----- ============================================================================FreeBSD-SA-99:03 Security Advisory FreeBSD, Inc. Topic: Two ftp daemons in ports vulnerable to attack. Category: ports Module: wu-ftpd and proftpd Announced: 1999-09-05 Affects: FreeBSD 3.2 (and earlier) FreeBSD-current before the correction date. Corrected: FreeBSD-3.3 RELEASE FreeBSD-current as of 1999/08/30 FreeBSD only: NO Patches: NONE I. Background wuftpd and proftpd have a flaw which can lead to a remote root compromise. They are both vulnerable since they are both based on a code base that is vulnerable. II. Problem Description Remote users can gain root via a buffer overflow. III. Impact Remote users can gain root. IV. Workaround Disable the ftp daemon until you can upgrade your system. V. Solution Upgrade your wu-ftpd or proftpd ports to the most recent versions (any version after August 30, 1999 is not impacted by this problem). If you are running non-port versions, you should verify that your version is not vulnerable or upgrade to using the ports version of these programs. ============================================================================FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN9MsfFUuHi5z0oilAQHKYQP/SGjOSQ8Ph8VqLtpStVOl6L0ocoYKv59R B6ow00bchILYV7qlsIGFhwMITZxZH0aGd0EAxwfFKwfvu36zSzAvu1rGrFCjT5Xd zefzAQUgj1/rWm3Jp1DxMd2BKCJrvTCOjKngIbbA2tH3AZ9xHiwefpqtIHVPikmy XR9gpyqCj/E=dyHS -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message
Possibly Parallel Threads
- FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd REISSUED
- [slackware-security] CA-99-13: wu-ftpd upgrade available (fwd)
- [slackware-security] CA-99-13: minimal fix for Slackware 3.5 through 4.0 (fwd)
- Warning regarding new kernel RPMs
- SECURITY: [RHSA-1999:043] New wu-ftpd packages available