I noticed that also; however the release of 2.6.0 and the CERT advisory (as well as the AUSCERT advisory) were in fact closely coordinated. This is because 2.6.0 does fix all the items listed in the advisory. At 03:16 PM 10/20/1999 -0700, you wrote: > > WU-FTPD and BeroFTPD > > > > Vulnerability #1: > > > > Not vulnerable: > > versions 2.4.2 and all betas and earlier versions > > Vulnerable: > > wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15 > > wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17 > > wu-ftpd-2.5.0 > > BeroFTPD, all versions > >CERT appears to have left out wu-ftpd-2.6.0 (although they included it in >the lists for the other two vulnerabilities). > >Version 2.6.0 does *not* have the "MAPPING_CHDIR Buffer Overflow" >vulnerability, at least if the ANNOUNCE-RELEASE file for that version is >to be believed. It reads, in part: > >"Corrected an error in the MAPPING_CHDIR feature which could be used to >gain root privileges on the server." > >Presumably, this refers to this vulnerability. > >Rich Chad Price Systems Manager, Genetic Sequence Analysis Facility University of Nebraska Medical Center 986495 Nebraska Medical Center Omaha, NE 68506-6495 cpriceat_private (402) 559-9527 (402) 559-4077 (FAX)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:27 PDT