FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd
FreeBSD Security Officer
security-officer at freebsd.org
Tue Sep 7 09:22:44 PDT 1999
-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-99:03 Security Advisory
Topic: Two ftp daemons in ports vulnerable to attack.
Module: wu-ftpd and proftpd
Affects: FreeBSD 3.2 (and earlier)
FreeBSD-current before the correction date.
Corrected: FreeBSD-3.3 RELEASE
FreeBSD-current as of 1999/08/30
FreeBSD only: NO
wuftpd and proftpd have a flaw which can lead to a remote root
compromise. They are both vulnerable since they are both based on a
code base that is vulnerable.
II. Problem Description
Remote users can gain root via a buffer overflow.
Remote users can gain root.
Disable the ftp daemon until you can upgrade your system.
Upgrade your wu-ftpd or proftpd ports to the most recent versions (any
version after August 30, 1999 is not impacted by this problem). If
you are running non-port versions, you should verify that your version
is not vulnerable or upgrade to using the ports version of these
Web Site: http://www.freebsd.org/
Confidential contacts: security-officer at freebsd.org
Security notifications: security-notifications at freebsd.org
Security public discussion: freebsd-security at freebsd.org
PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
-----BEGIN PGP SIGNATURE-----
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
-----END PGP SIGNATURE-----
This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at http://www.freebsd.org
To Unsubscribe: send mail to majordomo at FreeBSD.org
with "unsubscribe freebsd-announce" in the body of the message
More information about the freebsd-announce