FreeBSD_FTP_port_holes.txt

`Subject: [[email protected]: FreeBSD Security Advisory:  
FreeBSD-SA-99:03.ftpd REISSUED]  
To: [email protected]   
  
  
[[email protected] 2.ems Content-Type: text/plain; charset=us-ascii  
  
*** PGP Signature Status: unknown  
*** Signer: Unknown, Key ID xBE7497F1  
*** Signed: 9/15/99 11:30:30 PM  
*** Verified: 9/17/99 1:04:54 PM  
*** BEGIN PGP VERIFIED MESSAGE ***  
  
  
----- Forwarded message from FreeBSD Security Officer <[email protected]> -----  
  
Delivered-To: [email protected]  
Date: Wed, 15 Sep 1999 21:46:28 -0600 (MDT)  
From: FreeBSD Security Officer <[email protected]>  
Subject: FreeBSD Security Advisory: FreeBSD-SA-99:03.ftpd REISSUED  
Reply-To: [email protected]  
X-Loop: FreeBSD.org  
Precedence: bulk  
To: undisclosed-recipients: ;  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
=============================================================================  
FreeBSD-SA-99:03 Security Advisory  
FreeBSD, Inc.  
  
Topic: Three ftp daemons in ports vulnerable to attack.  
  
Category: ports  
Module: wu-ftpd and proftpd  
Announced: 1999-09-05  
Reissued: 1999-09-15  
Affects: FreeBSD 3.2 (and earlier)  
FreeBSD-current and -stable before the correction date.  
Corrected: FreeBSD-3.3 RELEASE  
FreeBSD as of 1999/08/30 for wuftpd only  
(Note: there is only one ports tree which is shared with  
all FreeBSD branches, so if you are running a -stable  
version of FreeBSD you will also be impacted.)  
FreeBSD only: NO  
Bugtraq Id: proftpd: 612  
  
Patches: NONE  
  
I. Background   
  
wuftpd, beroftpd and proftpd are all optional portions of the system  
designed to replace the stock ftpd on a FreeBSD system. They are  
written and maintained by third parties and are included in the  
FreeBSD ports collection.  
  
II. Problem Description  
  
There are different security problems which can lead to remote root  
access in these ports or packages.  
  
The standard ftp daemon which ships with FreeBSD is not impacted by  
either of these problems.  
  
III. Impact  
  
Remote users can gain root.  
  
IV. Workaround  
  
Disable the ftp daemon until you can upgrade your system, or use the  
stock ftpd that comes with FreeBSD.  
  
V. Solution  
  
Upgrade your wu-ftpd port to the version in the cvs repository after  
August 30, 1999. If you are not using the wu-ftpd port, then you  
should visit their web site and follow instructions there to patch  
your existing version.  
  
beroftpd, which was listed in the original wu-ftpd group's advisory as  
having a similar problem, has not been corrected as of September 15,  
1999. It will not be in the 3.3 release. The port has been marked  
forbidden and will remain so until the security problems have been  
corrected. If you are running beroftpd you are encouraged to find if  
patches are available for it which corrects these problems before  
enabling it on your system.  
  
proftpd, which had different security problems, has not been updated  
to a safe version as of September 15, 1999. It will not be in the 3.3  
release. It will not be in the 3.3 release. The port has been marked  
forbidden and will remain so until the security problems have been  
corrected. If you are running proftpd, you are encouraged to find out  
if there are patches which correct these problems before reenabling it  
on your system.  
  
The previous advisory suggested that any FreeBSD ports version of  
proftpd after August 30 had the security problems corrected. This has  
proven to not be the case and was the primary reason for reissuing  
this advisory. While reissuing the advisory, we added beroftpd since  
it shares a code history with wu-ftpd. The original advisory  
mistakenly asserted that proftpd also shared a code history with  
wuftpd, which is not the case.  
  
VI. Credits and Pointers  
  
The wu-ftpd advisory can be found at  
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/2.5.0.Security.Update.asc  
  
=============================================================================  
FreeBSD, Inc.  
  
Web Site: http://www.freebsd.org/  
Confidential contacts: [email protected]  
Security notifications: [email protected]  
Security public discussion: [email protected]  
PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc  
  
Notice: Any patches in this document may not apply cleanly due to  
modifications caused by digital signature or mailer software.  
Please reference the URL listed at the top of this document  
for original copies of all patches if necessary.  
=============================================================================  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.3ia  
Charset: noconv  
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface  
  
iQCVAwUBN+BmhFUuHi5z0oilAQFlOAQAiU3kAPurRruiFGfG33OsM3ni86HFpKPZ  
Hb9pINkP9Fu8qdKD/JKYYSxCLRhJLoqojSHXXpVvhJUOQx+1RVaiVCVNvZhV0ypx  
0M/+VEg1IpusbxkTRbNFE6cUrMwAiHvbZepYp41slTiA2MwDV7cqX1yvv1InGU1z  
HSfQSOB/Kfs=  
=NPAs  
-----END PGP SIGNATURE-----  
  
  
This is the moderated mailing list freebsd-announce.  
The list contains announcements of new FreeBSD capabilities,  
important events and project milestones.  
See also the FreeBSD Web pages at http://www.freebsd.org  
  
  
To Unsubscribe: send mail to [email protected]  
with "unsubscribe freebsd-announce" in the body of the message  
  
----- End forwarded message -----  
  
--   
Patrick Oonk - PO1-6BONE - [email protected] - www.pine.nl/~patrick  
Pine Internet B.V. PGP key ID BE7497F1   
Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/  
-- Pine Security Digest - http://security.pine.nl/ (Dutch) ----  
Excuse of the day: The computer fletely, mouse and all.  
  
  
*** END PGP VERIFIED MESSAGE ***  
  
`