Re: another wu-ftpd exploit

[Dan Harkless <dan-bugtraq () DILVISH SPEED NET>]

George Bakos <alpinista () BIGFOOT COM> writes:
> Yesterday www.hack.co.za made available yet another format string stack
> overwrite exploit for wu-ftpd 2.6.0-*.  I have seen an increased level of
> scanning for port 21 in the past 36 hours, no doubt attributable to this
> latest SITE EXEC vulnerability.
[...]
> This is another incarnation of a very serious vulnerability.  If you are
> running wu-ftpd 2.60-*, it is advised that you upgrade to the 2.6.1 release.

I didn't even realize 2.6.1 was out.  The wu-ftpd people apparently made no
announcement on Bugtraq and no announcement on their WU-FTPD-ANNOUNCE list.
In fact, I haven't received a single email on their announce list since I
subscribed on 9/23/99.  I just verified with the listserver that I am indeed
subscribed, so apparently the wu-ftpd team would rather pretend their
security holes don't exist than announce them to their users.

I've been wanting to give ProFTPD a try, but I'd been waiting for them to
transition to 1.2.0rc2 to 1.2.0.  Been waiting since July 28...

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.