> Pleeeeeeease, I had explicitly restricted my statements to the audited > version of wu-ftpd. I quote from the SuSE security advisory June 2000:
The point is that not everyone uses SuSE, let alone their audited version. So saying that wu-ftpd has had no major problems since SuSE audited the code is irrelevent to users of other distros such as RedHat, Debian etc. (I note that SuSE in their advisory recommended using the audited 2.4 version but still provided fixes for 2.6. Does this mean they also shipped the vulnerable version? Why? What was the default ftpd installed at that time? The vulnerable one or the audited one?) Kerry. > > ---------- > ... > Package: wuftpd < 2.6.0-121 > ... > 1. Problem Description > The wu-ftp FTP server does not do proper bounds checking while processing > the SITE EXEC command. > > 2. Impact > An remote attacker could execute arbitrary machine code as root on a FTP > server using wu-ftpd. > This bug could only be exploited if anonymous access to the FTP server > is allowed. > > 3. Solution > We recommend using our audited 2.4er version of wu-ftpd. > -------------------- > > > I seem to remember the SuSE security people saying that the number of > vulnerabilities in wu-ftpd found since the audit was not higher than > those found in bsd/pro. That seems to be about right. > > But Kurt Seifried could well be right with his assessment of ftp in > general. > > Volker -- regards, Kerry. --------------------------------------------------------------------- Kerry Baker Ph: +64 (4) 470 5843 Consultant Fax: +64 (4) 472 7219 Optimation New Zealand Limited Mob: +64 (25) 308 647 1 Grey Street Email: [EMAIL PROTECTED] Level 2, Optimation House Web: www.optimation.co.nz Wellington NOTE: This electronic mail message together with any attachments is confidential. If you are not the intended recipient, please e-mail us immediately and destroy this message. You may not copy, disclose or use the contents in any way. Thank you.
