-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, I have received several emails from various engineering groups with concerns over ambiguity in Appendix B's (OS Vendors) vulnerability information. Specifically, some find it unclear as to whether or not machines are vulnerable running wu-ftpd or proftpd even though their Vendor reported the operating system as not vulnerable. To clarify, the specific versions of wu-ftpd and ProFTPD described in the advisory ARE vulnerable to the palmetto bug on any operating system. The Vendor responses detailed in Appendix B were essentially verification of whether or not the vulnerable software in question was packaged by default with their operating system. Any OS listed in Appendix B as NOT vulnerable indicates that: 1. an installation of the OS does not include the vulnerable software in question, and 2. the default FTP server that _is_ included in the installation is not vulnerable to this large pathname attack. Regards, Jordan Ritter Network Security Engineer Netect, Inc. Boston, MA "Quis custodiet ipsos custodes?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v0.9.2 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE2xJPE+siuashk00ERArWIAJ4ppDvEFF9TAxyJMowBcjJGtiPmewCgiNzS CDsX44Zpierz7f2f0BR81Bs= =fxYQ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:14 PDT