[SECURITY] New Debian wu-ftpd packages released (fwd)

Daniel R . Kilbourne daniel.kilbourne@voyager.net
Sat, 24 Jun 2000 08:49:00 -0400 

on a related note, RedHat also issued an advisory....you can get an RPM from ftp'ing to updates.redhat.com





Edward Glowacki wrote:
> ---------- Forwarded message ----------
> Date: Fri, 23 Jun 2000 00:17:38 -0700
> From: Daniel Jacobowitz <drow@FALSE.ORG>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: [SECURITY] New Debian wu-ftpd packages released
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> - ----------------------------------------------------------------------------
> Debian Security Advisory                                 security@debian.org
> http://www.debian.org/security/                            Daniel Jacobowitz
> June 22, 2000
> - ----------------------------------------------------------------------------
> 
> Package: wu-ftpd (wu-ftpd-academ)
> Vulnerability: remote root exploit
> Debian-specific: no
> 
> The version of wu-ftpd distributed in Debian GNU/Linux 2.1 (a.k.a. slink),
> as well as in the frozen (potato) and unstable (woody) distributions, is
> vulnerable to a remote root compromise.  The default configuration in all
> current Debian packages prevents the currently available exploits in the
> case of anonymous access, although local users could still possibly
> compromise the server.
> 
> This has been fixed in versions 2.4.2.16-13.1 (for slink) and 2.6.0-5.1 (for
> potato and woody), and we recommend that you update your wu-ftpd-academ (for
> slink) or wu-ftpd (for potato and woody) package immediately.
> 
> 
> Debian GNU/Linux 2.1 alias slink
> - --------------------------------
> 
>   This version of Debian was released only for Intel ia32, the Motorola
>   680x0, the Alpha, and the Sun Sparc architecture.  Fixes for Intel ia32
>   and the Sun Sparc architecture are currently available; fixes for other
>   architectures will be available soon.
> 
>   Source archives:
>     http://security.debian.org/dists/slink/updates/source/wu-ftpd-academ_2.4.2.16-13.1.diff.gz
>       MD5 checksum: a3d26f64852e10d5831f1362e214074b
>     http://security.debian.org/dists/slink/updates/source/wu-ftpd-academ_2.4.2.16-13.1.dsc
>       MD5 checksum: 3c1848cfbdc82eae8008e26f34b63029
>     http://security.debian.org/dists/slink/updates/source/wu-ftpd-academ_2.4.2.16.orig.tar.gz
>       MD5 checksum: 1b636fbfb3a5417886cc4265cca0fc5f
> 
>   Intel ia32 architecture:
>     http://security.debian.org/dists/slink/updates/binary-i386/wu-ftpd-academ_2.4.2.16-13.1_i386.deb
>       MD5 checksum: 9eace595dcb0ba68bb2ddd60ffbfa12f
> 
>   Sun Sparc architecture:
>     http://security.debian.org/dists/slink/updates/binary-sparc/wu-ftpd-academ_2.4.2.16-13.1_sparc.deb
>       MD5 checksum: 1302d89ae95d8b40eb000472abeb461c
> 
> Debian 2.2 alias potato
> - -----------------------
> 
>   This version of Debian is not yet released.  Fixes are currently available
>   for Alpha, ARM, Intel ia32, PowerPC, and the Sun Sparc architecture.
>   Fixes for other architectures will be available soon.
> 
>   Source archives:
>     http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0-5.1.diff.gz
>       MD5 checksum: d24ba31633ed0d279653c671f93bf624
>     http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0-5.1.dsc
>       MD5 checksum: bc7138b128d8d32d5810ac19cc4ccf75
>     http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0.orig.tar.gz
>       MD5 checksum: 652cfe4b59e0468eded736e7c281d16f
> 
>   Architecture indendent archives:
>     http://security.debian.org/dists/potato/updates/main/binary-all/wu-ftpd-academ_2.6.0-5.1_all.deb
>       MD5 checksum: fa11e4fb1e3852382e9261a265ab85be
> 
>   Alpha architecture:
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/wu-ftpd_2.6.0-5.1_alpha.deb
>       MD5 checksum: 3907a13fd70063eb8cccc47148d3b316
> 
>   ARM architecture:
>     http://security.debian.org/dists/potato/updates/main/binary-arm/wu-ftpd_2.6.0-5.1_arm.deb
>       MD5 checksum: 9faeaec3a831510179c4e3a6ea50ff52
> 
>   Intel ia32 architecture:
>     http://security.debian.org/dists/potato/updates/main/binary-i386/wu-ftpd_2.6.0-5.1_i386.deb
>       MD5 checksum: 8f74c7004d4a06bfef2a5de786993164
> 
>   PowerPC architecture:
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/wu-ftpd_2.6.0-5.1_powerpc.deb
>       MD5 checksum: 4af70cff2b3a0396945df86fa8ebc6b8
> 
>   Sun Sparc architecture:
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/wu-ftpd_2.6.0-5.1_sparc.deb
>       MD5 checksum: 71320a88456af1b92f4e9848bbe76a80
> 
> Debian Unstable alias woody
> - ---------------------------
> 
>   A fix will be available in the unstable archive soon.  Meanwhile, install
>   the appropriate potato packages listed above.
> 
> - ----------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable updates
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates
> Mailing list: debian-security-announce@lists.debian.org
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.1 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iQCVAwUBOVMOSz5fjwqn/34JAQETYAP/cOwns8dnFWfB/KXRaN+2oYdvzXyUbjhg
> EMyURPM2t3EJCPwS5aKtGpQmCtFFcc0LUGR0LgRodx+WpnFGjJ+epJ6uORZiBmw8
> idm150kwPZXvq7t6YGoNz2RyGVDLlp58wgCUQkk5m0H0h8+MK/sdtg2aT/o49PE7
> Y7LaDg7E/ec=
> =Nysd
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user

-- 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Daniel R. Kilbourne
daniel.kilbourne@voyager.net
Voyager.net Network Engineer

^^^^^^^^^^^^^^^^^^^^^^^^^^^^