-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Folks,
I have received several emails from various engineering groups
with concerns over ambiguity in Appendix B's (OS Vendors) vulnerability
information. Specifically, some find it unclear as to whether or not
machines are vulnerable running wu-ftpd or proftpd even though their
Vendor reported the operating system as not vulnerable.
To clarify, the specific versions of wu-ftpd and ProFTPD described in the
advisory ARE vulnerable to the palmetto bug on any operating system. The
Vendor responses detailed in Appendix B were essentially verification of
whether or not the vulnerable software in question was packaged by default
with their operating system.
Any OS listed in Appendix B as NOT vulnerable indicates that:
1. an installation of the OS does not include the vulnerable software
in question, and
2. the default FTP server that _is_ included in the installation is not
vulnerable to this large pathname attack.
Regards,
Jordan Ritter
Network Security Engineer
Netect, Inc. Boston, MA
"Quis custodiet ipsos custodes?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.2 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE2xJPE+siuashk00ERArWIAJ4ppDvEFF9TAxyJMowBcjJGtiPmewCgiNzS
CDsX44Zpierz7f2f0BR81Bs=
=fxYQ
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:14 PDT