Re: another wu-ftpd exploit

[Richard Trott <trott () SLOWPOISONERS COM>]

On Thu, 28 Sep 2000, Dan Harkless wrote:

> I didn't even realize 2.6.1 was out.  The wu-ftpd people apparently made no
> announcement on Bugtraq and no announcement on their WU-FTPD-ANNOUNCE list.
> In fact, I haven't received a single email on their announce list since I
> subscribed on 9/23/99.  I just verified with the listserver that I am indeed
> subscribed, so apparently the wu-ftpd team would rather pretend their
> security holes don't exist than announce them to their users.

I'm sure I won't be the only person to note this, but:

CERT advisory 2000-1 reports the existence of a security vulnerability in
versions of wu-ftpd prior to 2.6.1.  The advisory suggests upgrading to
version 2.6.1.  Aleph himself posted the advisory to Bugtraq in July.  So
the existence of 2.6.1 and the importance of upgrading to 2.6.1 were noted
on Bugtraq.  (I think that if you have 2.6.0 plus a security patch they
released in late June, you have the same security fix(es) as if you were
running 2.6.1.  I could be wrong, though.)

The wu-ftpd web page (http://www.wu-ftpd.org/) has a link in their "recent
news" section that says:

July 2, 2000 WU-FTPD 2.6.1 has been released. Download it from the
distribution site or one of the world-wide mirrors.

You do appear to be correct, however, about the utter inactivity of the
wu-ftpd-announce list.  The archive for the list
(http://www.landfield.com/wu-ftpd/mail-archive/wu-ftpd-announce/) contains
no messages.  That's a bummer.

Rich