Re: Secure wu-ftpd for Testing?
On 30/11/01, David Ehle wrote: Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Not so far. But calling a software where the source and the fix are available, so that you can build a fixed version on your own is inappropriate. Especially if you are using Win98 and Netscape, both closed source products, for mailing. Do you also call mail both companies calling their software a stinker and asking them directly for fixed versions? Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 msg04542/pgp0.pgp Description: PGP signature
RE: Secure wu-ftpd for Testing?
The article I read about it on the Register... http://www.theregister.co.uk/content/4/23082.html The hole affects thousands of users of virtually every Linux release. Because of the wide implications, Core, working with CERT, and, at one point, SecurityFocus' Vulnerability Help team, arranged a coordinated release with Caldera, SuSE, TurboLinux, Debian, Red Hat, and other Linux vendors, so that patches would be available for every distribution simultaneously. December 3rd was picked for the release. That plan went out the window Tuesday, when Red Hat unilaterally issued its own advisory. So I will assume that Debian has a fix that is being tested, if not in testing. I'm very surprised it hasn't been released or mentioned yet myself. Curt- -Original Message- From: David Ehle [mailto:[EMAIL PROTECTED] Sent: Friday, November 30, 2001 14:20 To: debian-security@lists.debian.org Cc: Debian-Security (E-mail) Subject: Secure wu-ftpd for Testing? Hello all, Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Testing is using 2.6.1-5, is that also compromised? I have been watching it all day but haven't seen any updates. If it is not secure has a patched version been made available anywhere? I can't seem to find any mention at http://www.debian.org/security/ Thanks! David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure wu-ftpd for Testing?
Thanks Curtis, I know the maintainer has put together a fixed version for Potato/stable, I am wondering if he has had time to do the testing yet, or if we rollback to the testing one or what. I'm just hoping that rollback won't be a dependency nightmare... the stable version is wu-ftpd_2.6.0-6 available from: ftp.debian.org but NOT (as of about 6:00pm my local time) ftp.us.debian.org. Anyway thanks for the info. here are some other info sources i've found: http://www.securityfocus.com/archive/1/242750 http://www.wu-ftpd.org (they only put up something around 3:00 pm local-chicago time) Later, David. Howland, Curtis wrote: The article I read about it on the Register... http://www.theregister.co.uk/content/4/23082.html The hole affects thousands of users of virtually every Linux release. Because of the wide implications, Core, working with CERT, and, at one point, SecurityFocus' Vulnerability Help team, arranged a coordinated release with Caldera, SuSE, TurboLinux, Debian, Red Hat, and other Linux vendors, so that patches would be available for every distribution simultaneously. December 3rd was picked for the release. That plan went out the window Tuesday, when Red Hat unilaterally issued its own advisory. So I will assume that Debian has a fix that is being tested, if not in testing. I'm very surprised it hasn't been released or mentioned yet myself. Curt- -Original Message- From: David Ehle [mailto:[EMAIL PROTECTED] Sent: Friday, November 30, 2001 14:20 To: debian-security@lists.debian.org Cc: Debian-Security (E-mail) Subject: Secure wu-ftpd for Testing? Hello all, Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Testing is using 2.6.1-5, is that also compromised? I have been watching it all day but haven't seen any updates. If it is not secure has a patched version been made available anywhere? I can't seem to find any mention at http://www.debian.org/security/ Thanks! David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure wu-ftpd for Testing?
On 30/11/01, David Ehle wrote: Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Not so far. But calling a software where the source and the fix are available, so that you can build a fixed version on your own is inappropriate. Especially if you are using Win98 and Netscape, both closed source products, for mailing. Do you also call mail both companies calling their software a stinker and asking them directly for fixed versions? Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 pgpGLP5tbcbdB.pgp Description: PGP signature
RE: Secure wu-ftpd for Testing?
The article I read about it on the Register... http://www.theregister.co.uk/content/4/23082.html "The hole affects thousands of users of virtually every Linux release. Because of the wide implications, Core, working with CERT, and, at one point, SecurityFocus' "Vulnerability Help" team, arranged a coordinated release with Caldera, SuSE, TurboLinux, Debian, Red Hat, and other Linux vendors, so that patches would be available for every distribution simultaneously. December 3rd was picked for the release. That plan went out the window Tuesday, when Red Hat unilaterally issued its own advisory." So I will assume that Debian has a fix that is being tested, if not in "testing". I'm very surprised it hasn't been released or mentioned yet myself. Curt- -Original Message- From: David Ehle [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 14:20 To: [EMAIL PROTECTED] Cc: Debian-Security (E-mail) Subject: Secure wu-ftpd for Testing? Hello all, Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Testing is using 2.6.1-5, is that also compromised? I have been watching it all day but haven't seen any updates. If it is not secure has a patched version been made available anywhere? I can't seem to find any mention at http://www.debian.org/security/ Thanks! David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure wu-ftpd for Testing?
Thanks Curtis, I know the maintainer has put together a fixed version for Potato/stable, I am wondering if he has had time to do the testing yet, or if we rollback to the testing one or what. I'm just hoping that rollback won't be a dependency nightmare... the stable version is wu-ftpd_2.6.0-6 available from: ftp.debian.org but NOT (as of about 6:00pm my local time) ftp.us.debian.org. Anyway thanks for the info. here are some other info sources i've found: http://www.securityfocus.com/archive/1/242750 http://www.wu-ftpd.org (they only put up something around 3:00 pm local-chicago time) Later, David. Howland, Curtis wrote: The article I read about it on the Register... http://www.theregister.co.uk/content/4/23082.html The hole affects thousands of users of virtually every Linux release. Because of the wide implications, Core, working with CERT, and, at one point, SecurityFocus' Vulnerability Help team, arranged a coordinated release with Caldera, SuSE, TurboLinux, Debian, Red Hat, and other Linux vendors, so that patches would be available for every distribution simultaneously. December 3rd was picked for the release. That plan went out the window Tuesday, when Red Hat unilaterally issued its own advisory. So I will assume that Debian has a fix that is being tested, if not in testing. I'm very surprised it hasn't been released or mentioned yet myself. Curt- -Original Message- From: David Ehle [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 14:20 To: [EMAIL PROTECTED] Cc: Debian-Security (E-mail) Subject: Secure wu-ftpd for Testing? Hello all, Is the wu-ftpd in testing secure? It seems to be 2.6.1 a stinker. Testing is using 2.6.1-5, is that also compromised? I have been watching it all day but haven't seen any updates. If it is not secure has a patched version been made available anywhere? I can't seem to find any mention at http://www.debian.org/security/ Thanks! David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
