--nWEzmRaGLXxZdI3i Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable ----- Forwarded message from FreeBSD Security Officer <security-officer@Fre= eBSD.ORG> ----- Delivered-To: freebsd-announceat_private Date: Wed, 15 Sep 1999 21:46:28 -0600 (MDT) From: FreeBSD Security Officer <security-officerat_private> Subject: FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd REISSUED Reply-To: security-officerat_private X-Loop: FreeBSD.org Precedence: bulk To: undisclosed-recipients: ; -----BEGIN PGP SIGNED MESSAGE----- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D FreeBSD-SA-99:03 Security Adviso= ry FreeBSD, In= c. Topic: Three ftp daemons in ports vulnerable to attack. Category: ports Module: wu-ftpd and proftpd Announced: 1999-09-05 Reissued: 1999-09-15 Affects: FreeBSD 3.2 (and earlier) FreeBSD-current and -stable before the correction date. Corrected: FreeBSD-3.3 RELEASE FreeBSD as of 1999/08/30 for wuftpd only (Note: there is only one ports tree which is shared with all FreeBSD branches, so if you are running a -stable version of FreeBSD you will also be impacted.) FreeBSD only: NO Bugtraq Id: proftpd: 612 Patches: NONE I. Background =20 wuftpd, beroftpd and proftpd are all optional portions of the system designed to replace the stock ftpd on a FreeBSD system. They are written and maintained by third parties and are included in the FreeBSD ports collection. II. Problem Description There are different security problems which can lead to remote root access in these ports or packages. The standard ftp daemon which ships with FreeBSD is not impacted by either of these problems. III. Impact Remote users can gain root. IV. Workaround Disable the ftp daemon until you can upgrade your system, or use the stock ftpd that comes with FreeBSD. V. Solution Upgrade your wu-ftpd port to the version in the cvs repository after August 30, 1999. If you are not using the wu-ftpd port, then you should visit their web site and follow instructions there to patch your existing version. beroftpd, which was listed in the original wu-ftpd group's advisory as having a similar problem, has not been corrected as of September 15, 1999. It will not be in the 3.3 release. The port has been marked forbidden and will remain so until the security problems have been corrected. If you are running beroftpd you are encouraged to find if patches are available for it which corrects these problems before enabling it on your system. proftpd, which had different security problems, has not been updated to a safe version as of September 15, 1999. It will not be in the 3.3 release. It will not be in the 3.3 release. The port has been marked forbidden and will remain so until the security problems have been corrected. If you are running proftpd, you are encouraged to find out if there are patches which correct these problems before reenabling it on your system. The previous advisory suggested that any FreeBSD ports version of proftpd after August 30 had the security problems corrected. This has proven to not be the case and was the primary reason for reissuing this advisory. While reissuing the advisory, we added beroftpd since it shares a code history with wu-ftpd. The original advisory mistakenly asserted that proftpd also shared a code history with wuftpd, which is not the case. VI. Credits and Pointers The wu-ftpd advisory can be found at ftp://ftp.wu-ftpd.org/pub/wu-ftpd/2.5.0.Security.Update.asc =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officerat_private Security notifications: security-notificationsat_private Security public discussion: freebsd-securityat_private PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.a= sc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBN+BmhFUuHi5z0oilAQFlOAQAiU3kAPurRruiFGfG33OsM3ni86HFpKPZ Hb9pINkP9Fu8qdKD/JKYYSxCLRhJLoqojSHXXpVvhJUOQx+1RVaiVCVNvZhV0ypx 0M/+VEg1IpusbxkTRbNFE6cUrMwAiHvbZepYp41slTiA2MwDV7cqX1yvv1InGU1z HSfQSOB/Kfs=3D =3DNPAs -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomoat_private with "unsubscribe freebsd-announce" in the body of the message ----- End forwarded message ----- --=20 Patrick Oonk - PO1-6BONE - patrickat_private - www.pine.nl/~patrick Pine Internet B.V. PGP key ID BE7497F1 =20 Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- Excuse of the day: The computer fletely, mouse and all. --nWEzmRaGLXxZdI3i Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQB1AwUBN+COhvMOST2+dJfxAQGXhwMAl+k8jRGCPt417a0w/rkeVuwmUTG1S+lR yJ680y0zcn9gOkyNLOunm6y6jVpMu/Ylv8RUx+S3xwdpX5kQb1g3stDwt9ZX/9L7 fzpRFErhaSpU+ddPn6788p98RIBS/krt =6QO9 -----END PGP SIGNATURE----- --nWEzmRaGLXxZdI3i--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:13 PDT