The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FTP daemon

To: ewt@redhat.com, bs@suse.de, security@caldera.com, adam@yggdrasil.com, mark@wgs.com, rf@lst.de, security@debian.org, heiko@unifix.de, florian@knorke.saar.de
Subject: FTP daemon
From: Alan Cox <alan@cymru.net>
Date: Wed, 21 May 1997 09:30:33 +0100 (BST)
Delivered-to: bruce-lists--debian-private@lists.debian.org
Delivered-to: security@debian.org
Resent-cc: recipient list not shown: ;
Resent-date: 21 May 1997 09:41:41 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"MV5E81.0.4T7.LDiWp"@debian>
Resent-sender: debian-private-request@lists.debian.org

CERT have finally got around to picking up on the AUSCERT wu.ftpd report
on signal handling and core dumps

------------- (highlights of..)

AUSCERT has received information that there is a vulnerability in some
versions of ftpd distributed and installed under various Unix platforms.

This vulnerability may allow regular and anonymous ftp users to read or
write to arbitrary files with root privileges.

    This vulnerability is caused by a signal handling routine increasing
    process privileges to root, while still continuing to catch other
    signals.  This introduces a race condition which may allow regular,
    as well as anonymous ftp, users to access files with root privileges.
    Depending on the configuration of the ftpd server, this may allow
    intruders to read or write to arbitrary files on the server.

wu-ftpd Academ beta version
===========================

    The current version of wu-ftpd (Academ beta version), wu-ftpd
    2.4.2-beta-12, does not contain the vulnerability described in this
    advisory.  Sites using earlier versions should upgrade to the current
    version immediately.  At the time of writing, the current version can
    be retrieved from:

    	ftp://ftp.academ.com/pub/wu-ftpd/private/


---------

The only vendor data they have is Red Hat and its out of date. If people
want to submit entries/update the report can it get back to me by 
this evening (sorry so quick blame them not me)

Alan

--
Red Hat Software
================

    The signal handling code in wu-ftpd has some security problems which
    allows users to read all files on your system. A new version of wu-ftpd
    is now available for Red Hat 4.0 which Red Hat suggests installing on
    all of your systems.  This new version uses the same fix posted to
    redhat-list@redhat.com by Savochkin Andrey Vladimirovich.  Users of
    Red Hat Linux versions earlier then 4.0 should upgrade to 4.0 and then
    apply all available security packages.

    Users whose computers have direct internet connections may apply
    this update by using one of the following commands:

    Intel:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/wu-ftpd-2.4.2b11-9.i386.rpm

    Alpha:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.0/axp/wu-ftpd-2.4.2b11-9.axp.rpm

    SPARC:
    rpm -Uvhftp://ftp.redhat.com/updates/4.0/sparc/wu-ftpd-2.4.2b11-9.sparc.rpm

    All of these packages have been signed with Red Hat's PGP key.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Prev by Date: bruce back online
Next by Date: Re: Security Contact
Previous by thread: bruce back online
Next by thread: stupid questions
Index(es):
- Date
- Thread