Bugtraq mailing list archives
Re: another wu-ftpd exploit
From: Richard Trott <trott () SLOWPOISONERS COM>
Date: Sun, 1 Oct 2000 02:07:27 -0700
On Thu, 28 Sep 2000, Dan Harkless wrote:
I didn't even realize 2.6.1 was out. The wu-ftpd people apparently made no announcement on Bugtraq and no announcement on their WU-FTPD-ANNOUNCE list. In fact, I haven't received a single email on their announce list since I subscribed on 9/23/99. I just verified with the listserver that I am indeed subscribed, so apparently the wu-ftpd team would rather pretend their security holes don't exist than announce them to their users.
I'm sure I won't be the only person to note this, but: CERT advisory 2000-1 reports the existence of a security vulnerability in versions of wu-ftpd prior to 2.6.1. The advisory suggests upgrading to version 2.6.1. Aleph himself posted the advisory to Bugtraq in July. So the existence of 2.6.1 and the importance of upgrading to 2.6.1 were noted on Bugtraq. (I think that if you have 2.6.0 plus a security patch they released in late June, you have the same security fix(es) as if you were running 2.6.1. I could be wrong, though.) The wu-ftpd web page (http://www.wu-ftpd.org/) has a link in their "recent news" section that says: July 2, 2000 WU-FTPD 2.6.1 has been released. Download it from the distribution site or one of the world-wide mirrors. You do appear to be correct, however, about the utter inactivity of the wu-ftpd-announce list. The archive for the list (http://www.landfield.com/wu-ftpd/mail-archive/wu-ftpd-announce/) contains no messages. That's a bummer. Rich
Current thread:
- Re: another wu-ftpd exploit Dan Harkless (Sep 30)
- Re: another wu-ftpd exploit Richard Trott (Oct 01)