wu-ftpd advisory update

2000-09-29T11:28:34
ID SSA-2000-0929112834
Type slackware
Reporter Slackware Linux Project
Modified 2000-09-29T11:28:34

Description


UPDATE: This announcement was first mailed out on 28-Sep-2000. It was later determined that incorrect 16-bit sums and 128-bit MD5 message digests were included in the announcement. The announcement below is identical to the one from yesterday, but it includes the correct verification data. We apologize for the inconvenience.


A vulnerability involving an input validation error in the "site exec" command has recently been identified in the wu-ftpd program (CERT Advisory CA-2000-13). More information about this problem can be found at this site:

http://www.cert.org/advisories/CA-2000-13.html

The wu-ftpd daemon is part of the tcpip1.tgz package in the N series. A new tcpip1.tgz package is now available in the Slackware -current tree. All users of Slackware 7.0, 7.1, and -current are stronly urged to upgrade to the new tcpip1.tgz package.

For users of Slackware 4.0, a wuftpd.tgz patch package is being provided in the /patches tree of Slackware 4.0.

========================================= wu-ftpd 2.6.1 AVAILABLE - (n1/tcpip1.tgz) =========================================

FOR USERS OF SLACKWARE 7.0, 7.1, and -current:


The recent vulnerability in wu-ftpd can be fixed by upgrading to the new tcpip1.tgz package. This package upgrades the wu-ftpd server to version 2.6.1. You can download it from the -current branch:

  ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/tcpip1.tgz

All users of Slackware 7.0, 7.1, and -current are strongly urged to upgrade to the tcpip1.tgz package to fix the vulnerability in wu-ftpd.

For verification purposes, we provide the following checksums:

  16-bit "sum" checksum:
  45865   995

  128-bit MD5 message digest:
  2ffec28ac4b9de34d5899f7cd88cc5c3  n1/tcpip1.tgz

Installation instructions for the tcpip1.tgz package:

  If you have downloaded the new tcpip1.tgz package, you should bring
  the system into runlevel 1 and run upgradepkg on it:

       > telinit 1
       > upgradepkg tcpip1.tgz
       > telinit 3

FOR USERS OF SLACKWARE 4.0:


The recent vulnerability in wu-ftpd can be fixed by installing the wuftpd.tgz patch package. This package upgrades the wu-ftpd server to version 2.6.1. You can download it from the Slackware 4.0 branch:

  ftp://ftp.slackware.com/pub/slackware/slackware-4.0/patches/wuftpd.tgz

All users of Slackware 4.0 are strongly urged to install the wuftpd.tgz patch package to fix the vulnerability in wu-ftpd.

For verification purposes, we provide the following checksums:

  16-bit "sum" checksum:
  06607   105

  128-bit MD5 message digest:
  75547b1762d7ff4fad233cd89529ff2c  wuftpd.tgz

Installation instructions for the wuftpd.tgz package:

  If you have downloaded the wuftpd.tgz patch package, you should bring
  the system into runlevel 1 and run installpkg on it:

       > telinit 1
       > installpkg wuftpd.tgz
       > telinit 3

Remember, it's also a good idea to backup configuration files before upgrading packages.