|
|
| Top White Papers
Current Newswire:
Slackware Linux Advisories: WU-FTPD, ProFTPD, OpenSSHSep 24, 2003, 11:29 (0 Talkback[s])[slackware-security] WU-FTPD Security Advisory (SSA:2003-259-03)Upgraded WU-FTPD packages are available for Slackware 9.0 and - -current. These fix a problem where an attacker could use a specially crafted filename in conjunction with WU-FTPD's conversion feature (mostly used to compress files, or produce tar archives) to execute arbitrary commands on the server. In addition, a MAIL_ADMIN which has been found to be insecure has been disabled. We do not recommend deploying WU-FTPD in situations where security is required. Here are the details from the Slackware 9.0 ChangeLog: Tue Sep 23 14:43:10 PDT 2003 pasture/dontuse/wu-ftpd/wu-ftpd-2.6.2-i486-3.tgz: Fixed a security problem in /etc/ftpconversions (CVE-1999-0997). There's also another hole in wu-ftpd which may be triggered if the MAIL_ADMIN feature (notifies the admin of anonymous uploads) is used, so MAIL_ADMIN has been disabled in this build. Also note that we've moved this from /pasture to /pasture/dontuse, which should tell you something. (* Security fix *) WHERE TO FIND THE NEW PACKAGES:Updated package for Slackware 9.0: Updated package for Slackware -current: MD5 SIGNATURES:Slackware 9.0 package: Slackware -current package: INSTALLATION INSTRUCTIONS:Upgrade using upgradepkg (as root): +-----+ Slackware Linux Security Team [slackware-security] ProFTPD Security Advisory (SSA:2003-259-02)Upgraded ProFTPD packages are available for Slackware 8.1, 9.0 and - -current. These fix a security issue where an attacker could gain a root shell by downloading a specially crafted file. Here are the details from the Slackware 9.0 ChangeLog: Tue Sep 23 14:43:10 PDT 2003 n/proftpd-1.2.8p-i486-1.tgz: Upgraded to proftpd-1.2.8p (patched). This fixes a security problem in ProFTPD. From http://www.proftpd.org: X-Force Research at ISS has discovered a remote exploit in ProFTPD's handling of ASCII translations that an attacker, by downloading a carefully crafted file, can exploit and gain a root shell. The source distributions on ftp ftp.proftpd.org have all been replaced with patched versions. All ProFTPD users are strongly urged to upgrade to one of the patched versions as soon as possible. Note that the upgraded package does not change the displayed version number to 1.2.8p (it remains 1.2.8), but we've verified the source code to make sure that this is in fact the patched version. We recommend all sites running ProFTPD upgrade to the new package right away. (* Security fix *) WHERE TO FIND THE NEW PACKAGES:Updated package for Slackware 8.1: Updated package for Slackware 9.0: Updated package for Slackware -current: MD5 SIGNATURES:Slackware 8.1 package: Slackware 9.0 package: Slackware -current package: INSTALLATION INSTRUCTIONS:Upgrade using upgradepkg (as root): +-----+ Slackware Linux Security Team [slackware-security] New OpenSSH packages (SSA:2003-266-01)Upgraded OpenSSH 3.7.1p2 packages are available for Slackware 8.1, 9.0 and -current. This fixes security problems with PAM authentication. It also includes several code cleanups from Solar Designer. Slackware is not vulnerable to the PAM problem, and it is not believed that any of the other code cleanups fix exploitable security problems, not nevertheless sites may wish to upgrade. These are some of the more interesting entries from OpenSSH's ChangeLog so you can be the judge: [buffer.c]
WHERE TO FIND THE NEW PACKAGES:Updated package for Slackware 8.1: Updated package for Slackware 9.0: Updated package for Slackware -current: MD5 SIGNATURES:Slackware 8.1 package: Slackware 9.0 package: Slackware -current package: INSTALLATION INSTRUCTIONS:(This procedure is safe to do while logged in through OpenSSH) Upgrade using upgradepkg (as root): Restart OpenSSH: +-----+ Slackware Linux Security Team
0 Talkback[s]
(click to add your comment)
|
