FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd

FreeBSD Security Officer security-officer at
Tue Sep 7 09:22:44 PDT 1999


FreeBSD-SA-99:03                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          Two ftp daemons in ports vulnerable to attack.

Category:       ports
Module:         wu-ftpd and proftpd
Announced:      1999-09-05
Affects:        FreeBSD 3.2 (and earlier)
		FreeBSD-current before the correction date.
Corrected:      FreeBSD-3.3 RELEASE
		FreeBSD-current as of 1999/08/30
FreeBSD only:   NO

Patches:        NONE

I.   Background    

wuftpd and proftpd have a flaw which can lead to a remote root
compromise.  They are both vulnerable since they are both based on a
code base that is vulnerable.

II.  Problem Description

Remote users can gain root via a buffer overflow.

III. Impact

Remote users can gain root.

IV.  Workaround

Disable the ftp daemon until you can upgrade your system.

V.   Solution

Upgrade your wu-ftpd or proftpd ports to the most recent versions (any
version after August 30, 1999 is not impacted by this problem).  If
you are running non-port versions, you should verify that your version
is not vulnerable or upgrade to using the ports version of these

FreeBSD, Inc.

Web Site:             
Confidential contacts:          security-officer at
Security notifications:         security-notifications at
Security public discussion:     freebsd-security at
PGP Key:      

Notice: Any patches in this document may not apply cleanly due to
        modifications caused by digital signature or mailer software.
        Please reference the URL listed at the top of this document
        for original copies of all patches if necessary.

Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface


This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at

To Unsubscribe: send mail to majordomo at
with "unsubscribe freebsd-announce" in the body of the message

More information about the freebsd-announce mailing list