Date: Wed, 15 Sep 1999 21:46:28 -0600 (MDT)
From: FreeBSD Security Officer <security-officer@FreeBSD.ORG.>
To: undisclosed-recipients: ;
Subject: FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd REISSUED
-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-99:03 Security Advisory
FreeBSD, Inc.
Topic: Three ftp daemons in ports vulnerable to attack.
Category: ports
Module: wu-ftpd and proftpd
Announced: 1999-09-05
Reissued: 1999-09-15
Affects: FreeBSD 3.2 (and earlier)
FreeBSD-current and -stable before the correction date.
Corrected: FreeBSD-3.3 RELEASE
FreeBSD as of 1999/08/30 for wuftpd only
(Note: there is only one ports tree which is shared with
all FreeBSD branches, so if you are running a -stable
version of FreeBSD you will also be impacted.)
FreeBSD only: NO
Bugtraq Id: proftpd: 612
Patches: NONE
I. Background
wuftpd, beroftpd and proftpd are all optional portions of the system
designed to replace the stock ftpd on a FreeBSD system. They are
written and maintained by third parties and are included in the
FreeBSD ports collection.
II. Problem Description
There are different security problems which can lead to remote root
access in these ports or packages.
The standard ftp daemon which ships with FreeBSD is not impacted by
either of these problems.
III. Impact
Remote users can gain root.
IV. Workaround
Disable the ftp daemon until you can upgrade your system, or use the
stock ftpd that comes with FreeBSD.
V. Solution
Upgrade your wu-ftpd port to the version in the cvs repository after
August 30, 1999. If you are not using the wu-ftpd port, then you
should visit their web site and follow instructions there to patch
your existing version.
beroftpd, which was listed in the original wu-ftpd group's advisory as
having a similar problem, has not been corrected as of September 15,
1999. It will not be in the 3.3 release. The port has been marked
forbidden and will remain so until the security problems have been
corrected. If you are running beroftpd you are encouraged to find if
patches are available for it which corrects these problems before
enabling it on your system.
proftpd, which had different security problems, has not been updated
to a safe version as of September 15, 1999. It will not be in the 3.3
release. It will not be in the 3.3 release. The port has been marked
forbidden and will remain so until the security problems have been
corrected. If you are running proftpd, you are encouraged to find out
if there are patches which correct these problems before reenabling it
on your system.
The previous advisory suggested that any FreeBSD ports version of
proftpd after August 30 had the security problems corrected. This has
proven to not be the case and was the primary reason for reissuing
this advisory. While reissuing the advisory, we added beroftpd since
it shares a code history with wu-ftpd. The original advisory
mistakenly asserted that proftpd also shared a code history with
wuftpd, which is not the case.
VI. Credits and Pointers
The wu-ftpd advisory can be found at
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/2.5.0.Security.Update.asc
FreeBSD, Inc.
Web Site: http://www.freebsd.org/
Confidential contacts: [email protected]
Security notifications: [email protected]
Security public discussion: [email protected]
PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAwUBN+BmhFUuHi5z0oilAQFlOAQAiU3kAPurRruiFGfG33OsM3ni86HFpKPZ
Hb9pINkP9Fu8qdKD/JKYYSxCLRhJLoqojSHXXpVvhJUOQx+1RVaiVCVNvZhV0ypx
0M/+VEg1IpusbxkTRbNFE6cUrMwAiHvbZepYp41slTiA2MwDV7cqX1yvv1InGU1z
HSfQSOB/Kfs=
=NPAs
-----END PGP SIGNATURE-----
This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at http://www.freebsd.org
To Unsubscribe: send mail to [email protected]
with "unsubscribe freebsd-announce" in the body of the message