diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-99:03.ftpd.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-99:03.ftpd.asc | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-99:03.ftpd.asc b/share/security/advisories/FreeBSD-SA-99:03.ftpd.asc new file mode 100644 index 0000000000..8695a54ab0 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-99:03.ftpd.asc @@ -0,0 +1,110 @@ +-----BEGIN PGP SIGNED MESSAGE----- + +============================================================================= +FreeBSD-SA-99:03 Security Advisory + FreeBSD, Inc. + +Topic: Three ftp daemons in ports vulnerable to attack. + +Category: ports +Module: wu-ftpd and proftpd +Announced: 1999-09-05 +Reissued: 1999-09-15 +Affects: FreeBSD 3.2 (and earlier) + FreeBSD-current and -stable before the correction date. +Corrected: FreeBSD-3.3 RELEASE + FreeBSD as of 1999/08/30 for wuftpd only + (Note: there is only one ports tree which is shared with + all FreeBSD branches, so if you are running a -stable + version of FreeBSD you will also be impacted.) +FreeBSD only: NO +Bugtraq Id: proftpd: 612 + +Patches: NONE + +I. Background + +wuftpd, beroftpd and proftpd are all optional portions of the system +designed to replace the stock ftpd on a FreeBSD system. They are +written and maintained by third parties and are included in the +FreeBSD ports collection. + +II. Problem Description + +There are different security problems which can lead to remote root +access in these ports or packages. + +The standard ftp daemon which ships with FreeBSD is not impacted by +either of these problems. + +III. Impact + +Remote users can gain root. + +IV. Workaround + +Disable the ftp daemon until you can upgrade your system, or use the +stock ftpd that comes with FreeBSD. + +V. Solution + +Upgrade your wu-ftpd port to the version in the cvs repository after +August 30, 1999. If you are not using the wu-ftpd port, then you +should visit their web site and follow instructions there to patch +your existing version. + +beroftpd, which was listed in the original wu-ftpd group's advisory as +having a similar problem, has not been corrected as of September 15, +1999. It will not be in the 3.3 release. The port has been marked +forbidden and will remain so until the security problems have been +corrected. If you are running beroftpd you are encouraged to find if +patches are available for it which corrects these problems before +enabling it on your system. + +proftpd, which had different security problems, has not been updated +to a safe version as of September 15, 1999. It will not be in the 3.3 +release. It will not be in the 3.3 release. The port has been marked +forbidden and will remain so until the security problems have been +corrected. If you are running proftpd, you are encouraged to find out +if there are patches which correct these problems before reenabling it +on your system. + +The previous advisory suggested that any FreeBSD ports version of +proftpd after August 30 had the security problems corrected. This has +proven to not be the case and was the primary reason for reissuing +this advisory. While reissuing the advisory, we added beroftpd since +it shares a code history with wu-ftpd. The original advisory +mistakenly asserted that proftpd also shared a code history with +wuftpd, which is not the case. + +VI. Credits and Pointers + +The wu-ftpd advisory can be found at + ftp://ftp.wu-ftpd.org/pub/wu-ftpd/2.5.0.Security.Update.asc + +============================================================================= +FreeBSD, Inc. + +Web Site: http://www.freebsd.org/ +Confidential contacts: security-officer@freebsd.org +Security notifications: security-notifications@freebsd.org +Security public discussion: freebsd-security@freebsd.org +PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc + +Notice: Any patches in this document may not apply cleanly due to + modifications caused by digital signature or mailer software. + Please reference the URL listed at the top of this document + for original copies of all patches if necessary. +============================================================================= + +-----BEGIN PGP SIGNATURE----- +Version: 2.6.3ia +Charset: noconv +Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface + +iQCVAwUBN+BmhFUuHi5z0oilAQFlOAQAiU3kAPurRruiFGfG33OsM3ni86HFpKPZ +Hb9pINkP9Fu8qdKD/JKYYSxCLRhJLoqojSHXXpVvhJUOQx+1RVaiVCVNvZhV0ypx +0M/+VEg1IpusbxkTRbNFE6cUrMwAiHvbZepYp41slTiA2MwDV7cqX1yvv1InGU1z +HSfQSOB/Kfs= +=NPAs +-----END PGP SIGNATURE----- |