SuSE alert: wuftpd

Posted by dave on Nov 28, 2001 1:55 PM EDT
Mailing list
Mail this story
Print this story

The wuftpd package as shipped with SuSE Linux distributions comes with two versions of wuftpd: wuftpd-2.4.2, installed as /usr/sbin/wuftpd, and wuftpd-2.6.0, installed as /usr/sbin/wuftpd-2.6. The admin decides which version to use by the inetd/xinetd configuration.

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SuSE Security Announcement

        Package: wuftpd
        Announcement-ID: SuSE-SA:2001:043
        Date: Wednesday, Nov. 28th, 2001 23:45 MET
        Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3
        Vulnerability Type: remote root compromise
        Severity (1-10): 7
        SuSE default package: no
        Other affected systems: all liunx-like systems using wu-ftpd 2.4.x /
                                2.6.0 / 2.6.1

        Content of this advisory:
        1) security vulnerability resolved: wuftpd
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion, solution, upgrade information

    The wuftpd package as shipped with SuSE Linux distributions comes with
    two versions of wuftpd: wuftpd-2.4.2, installed as /usr/sbin/wuftpd,
    and wuftpd-2.6.0, installed as /usr/sbin/wuftpd-2.6.
    The admin decides which version to use by the inetd/xinetd
    configuration.

    The CORE ST Team had found an exploitable bug in all versions of wuftpd's
    ftpglob() function.
    The glob function overwrites buffer bounds while matching open and closed
    brackets. Due to a missing

  Nav
» Read more about: Story Type: Security; Groups: SUSE

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.