Bugtraq mailing list archives

Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD

From: cprice () MOLBIO UNMC EDU (Chad Price)
Date: Thu, 21 Oct 1999 13:11:32 -0500


I noticed that also; however the release of 2.6.0 and the CERT advisory (as
well as the AUSCERT advisory) were in fact closely coordinated.  This is
because 2.6.0 does fix all the items listed in the advisory.

At 03:16 PM 10/20/1999 -0700, you wrote:

WU-FTPD and BeroFTPD

   Vulnerability #1:

   Not vulnerable:
          versions 2.4.2 and all betas and earlier versions
          Vulnerable:
          wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
          wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17
          wu-ftpd-2.5.0
          BeroFTPD, all versions


CERT appears to have left out wu-ftpd-2.6.0 (although they included it in
the lists for the other two vulnerabilities).

Version 2.6.0 does *not* have the "MAPPING_CHDIR Buffer Overflow"
vulnerability, at least if the ANNOUNCE-RELEASE file for that version is
to be believed.  It reads, in part:

"Corrected an error in the MAPPING_CHDIR feature which could be used to
gain root privileges on the server."

Presumably, this refers to this vulnerability.

Rich


Chad Price
Systems Manager, Genetic Sequence Analysis Facility
University of Nebraska Medical Center
986495 Nebraska Medical Center
Omaha, NE 68506-6495
cprice () molbio unmc edu
(402) 559-9527
(402) 559-4077 (FAX)

Current thread:

Re: execve bug linux-2.2.12, (continued)
- - Re: execve bug linux-2.2.12 visi0n (Oct 15)
  - Re: execve bug linux-2.2.12 Alan Cox (Oct 16)
    - Re: execve bug linux-2.2.12 ben () VALINUX COM (Oct 16)
    - Re: execve bug linux-2.2.12 Matt Chapman (Oct 18)
    - Re: execve bug linux-2.2.12 Taneli Huuskonen (Oct 19)
    - Re: execve bug linux-2.2.12 Alan Cox (Oct 20)
    - Microsoft Security Bulletin (MS99-044) Aleph One (Oct 20)
    - Re: execve bug linux-2.2.12 Timo Felbinger (Oct 20)
    - CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Aleph One (Oct 20)
    - Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Richard Trott (Oct 20)
    - Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Chad Price (Oct 21)
    - Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Gregory A Lundberg (Oct 21)
    - Remote DoS in Axent's Raptor 6.0 Mike Frantzen (Oct 20)
    - xmonisdn (isdn4k-utils/Linux) bug report Ron van Daal (Oct 18)
    - Re: xmonisdn (isdn4k-utils/Linux) bug report Jan-Hendrik Terstegge (Oct 20)
    - Last weeks release: whisker (new web scanner) rfp () WIRETRIP NET (Oct 20)
    - Re: xmonisdn (isdn4k-utils/Linux) bug report Ron van Daal (Oct 20)
    - Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication Olaf Selke (Oct 20)
    - DoS in Eicon ISDN Modem is now fixed Aviram Jenik (Oct 20)
  - Re: execve bug linux-2.2.12 security () XIRR COM (Oct 16)
  - Microsoft Security Bulletin (MS99-043) Aleph One (Oct 18)

(Thread continues...)