FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd REISSUED

FreeBSD Security Officer security-officer at
Wed Sep 15 20:47:17 PDT 1999


FreeBSD-SA-99:03                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          Three ftp daemons in ports vulnerable to attack.

Category:       ports
Module:         wu-ftpd and proftpd
Announced:      1999-09-05
Reissued:	1999-09-15
Affects:        FreeBSD 3.2 (and earlier)
		FreeBSD-current and -stable before the correction date.
Corrected:      FreeBSD-3.3 RELEASE
		FreeBSD as of 1999/08/30 for wuftpd only
		(Note: there is only one ports tree which is shared with
		 all FreeBSD branches, so if you are running a -stable
		 version of FreeBSD you will also be impacted.)
FreeBSD only:   NO
Bugtraq Id:	proftpd: 612

Patches:        NONE

I.   Background    

wuftpd, beroftpd and proftpd are all optional portions of the system
designed to replace the stock ftpd on a FreeBSD system.  They are
written and maintained by third parties and are included in the
FreeBSD ports collection.

II.  Problem Description

There are different security problems which can lead to remote root
access in these ports or packages.

The standard ftp daemon which ships with FreeBSD is not impacted by
either of these problems.

III. Impact

Remote users can gain root.

IV.  Workaround

Disable the ftp daemon until you can upgrade your system, or use the
stock ftpd that comes with FreeBSD.

V.   Solution

Upgrade your wu-ftpd port to the version in the cvs repository after
August 30, 1999.  If you are not using the wu-ftpd port, then you
should visit their web site and follow instructions there to patch
your existing version.

beroftpd, which was listed in the original wu-ftpd group's advisory as
having a similar problem, has not been corrected as of September 15,
1999.  It will not be in the 3.3 release.  The port has been marked
forbidden and will remain so until the security problems have been
corrected.  If you are running beroftpd you are encouraged to find if
patches are available for it which corrects these problems before
enabling it on your system.

proftpd, which had different security problems, has not been updated
to a safe version as of September 15, 1999.  It will not be in the 3.3
release.  It will not be in the 3.3 release.  The port has been marked
forbidden and will remain so until the security problems have been
corrected.  If you are running proftpd, you are encouraged to find out
if there are patches which correct these problems before reenabling it
on your system.

The previous advisory suggested that any FreeBSD ports version of
proftpd after August 30 had the security problems corrected.  This has
proven to not be the case and was the primary reason for reissuing
this advisory.  While reissuing the advisory, we added beroftpd since
it shares a code history with wu-ftpd.  The original advisory
mistakenly asserted that proftpd also shared a code history with
wuftpd, which is not the case.

VI.  Credits and Pointers

The wu-ftpd advisory can be found at

FreeBSD, Inc.

Web Site:             
Confidential contacts:          security-officer at
Security notifications:         security-notifications at
Security public discussion:     freebsd-security at
PGP Key:      

Notice: Any patches in this document may not apply cleanly due to
        modifications caused by digital signature or mailer software.
        Please reference the URL listed at the top of this document
        for original copies of all patches if necessary.

Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface


This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at

To Unsubscribe: send mail to majordomo at
with "unsubscribe freebsd-announce" in the body of the message

More information about the freebsd-announce mailing list