SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: [slackware-security] WU-FTPD Security Advisory (SSA:2003-259-03) Date: Sep 24 2003 6:07AM Author: Slackware Security Team Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] WU-FTPD Security Advisory (SSA:2003-259-03) Upgraded WU-FTPD packages are available for Slackware 9.0 and - -current. These fix a problem where an attacker could use a specially crafted filename in conjunction with WU-FTPD's conversion feature (mostly used to compress files, or produce tar archives) to execute arbitrary commands on the server. In addition, a MAIL_ADMIN which has been found to be insecure has been disabled. We do not recommend deploying WU-FTPD in situations where security is required. Here are the details from the Slackware 9.0 ChangeLog: +--------------------------+ Tue Sep 23 14:43:10 PDT 2003 pasture/dontuse/wu-ftpd/wu-ftpd-2.6.2-i486-3.tgz: Fixed a security problem in /etc/ftpconversions (CVE-1999-0997). There's also another hole in wu-ftpd which may be triggered if the MAIL_ADMIN feature (notifies the admin of anonymous uploads) is used, so MAIL_ADMIN has been disabled in this build. Also note that we've moved this from /pasture to /pasture/dontuse, which should tell you something. (* Security fix *) +--------------------------+ WHERE TO FIND THE NEW PACKAGES: +-----------------------------+ Updated package for Slackware 9.0: ftp://ftp.slackware.com/pub/slackware/slackware-9.0/pasture/dontuse/wu-ftpd/wu-ftpd- 2.6.2-i386-3.tgz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/pasture/dontuse/wu-ftpd/wu- ftpd-2.6.2-i486-3.tgz MD5 SIGNATURES: +-------------+ Slackware 9.0 package: 2585e5eb265708d0f74b7f00325aaf9f wu-ftpd-2.6.2-i386-3.tgz Slackware -current package: fa6d5af10336187de5b84e5bb6b11a39 wu-ftpd-2.6.2-i486-3.tgz INSTALLATION INSTRUCTIONS: +------------------------+ Upgrade using upgradepkg (as root): # upgradepkg wu-ftpd-2.6.2-i386-3.tgz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security slackware com +------------------------------------------------------------------------+ | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | +------------------------------------------------------------------------+ | Send an email to majordomo slackware com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back. Follow the instructions to | | complete the unsubscription. Do not reply to this message to | | unsubscribe! | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/cTDGakRjwEAQIjMRAg24AKCSYcjwRbXzXwwQTSHmpdlAeHSXLwCcDeOZ ur+IUEEeV3AtZwRw626sxSc= =UWc6 -----END PGP SIGNATURE----- Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus