---

Home Infrastructure

NetBSD Security Advisory: wu-ftpd package vulnerability

By 
Date: Mon, 10 Jul 2000 12:17:57 -0400
From: security-officer@netbsd.org
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: NetBSD Security Advisory 2000-010

-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-010
                 =================================

Topic:          wu-ftpd package vulnerability.
Version:        All wu-ftpd versions prior to 2.6.1
Severity:       High: Potential remote root access.

Abstract
========

Note: The wu-ftpd package is not part of the base NetBSD distribution,
and is not installed by default.  It is part of the NetBSD package
collection, which contains a large number of third-party applications
in ready-to-install format.

wu-ftpd versions prior to 2.6.1 contain known security holes
which may allow unauthorized remote users to gain root access.

Technical Details
=================

See the CERT advisory CA-2000-13 and NetBSD-SA2000-009

Solutions and Workarounds
=========================

Versions of wu-ftpd older than version 2.6.1 are vulnerable.  To find
out the version of wu-ftpd installed on your NetBSD system, you can use
pkg_info(1):

        # pkg_info -e wu-ftpd-*

If wu-ftpd is not installed on your system, no output will be generated,
and your system is not vulnerable to this problem.

If you have a version older than 2.6.1, you should upgrade to a newer
version of wu-ftpd.  A corrected version has been part of the NetBSD
packages collection since 8 July 2000.

If a vulnerable version of wu-ftpd is installed, then you should
immediately remove the vulnerability by deleting the package.  As
root, type:

        # pkg_delete -v wu-ftpd-*

If you continue to need wu-ftpd, you should install a new version of
the package.

There are precompiled binary packages of wu-ftpd for some NetBSD ports
available from:

ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/net/wu-ftpd/README.html

If no precompiled binary is available for your platform, you can build
your own from source.  First, make sure that you have a version of the
pkgsrc hierarchy from @DATE@ or later.  (See
http://www.netbsd.org/Sites/net.html for ways to obtain NetBSD, and
pkgsrc, its packages collection.)

You can then install the new version of the package:

        cd pkgsrc/net/wu-ftpd; make clean; make install

For more information on how to rebuild a package from source for your
architecture, see ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/README

Revision History
================

        20000708        Initial version.

More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-010.txt,v 1.4 2000/07/10 12:29:39 sommerfeld Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOWnDgj5Ru2/4N2IFAQGMLQQAot5M4fYWSVP0YcuVJ9FzWH2+OxKV0EsL
4U2AtsIjj7TnvZ1djZfyszkRYMIVr/4cMQ3Ma84SnACGBNu/KKSuRz/x+vtR68W5
MtUSnZiivTUmbmRPDx/2fxWjumYWB+RKAI0IbTW1sgvhyPrgV3pr2w5/SAXCIFhG
YY6ZBaXXceY=
=4js/
-----END PGP SIGNATURE-----

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.