Bug#4331: linux-security] [linux-alert] SECURITY FIX/UPDATE: anonftp (fwd)
Hi,
(debian bug, Elliot)
> Package: wu-ftpd
> Version: 2.4-23
>
> I don't know the exploit, but tar in the anon ftp area is the
> same as the normal one, so I think Debian systems may have this
> problem too. Two messages from the linux-security list (the
> second one includes a patch for tar - only for anon ftp, not
> for the normal one!) are attached below.
AFAIK it is along the line wit
"site exec tar cvzf -rsh-command blafasel host:tar.tgz"
Of course there should be no tar binary in the site exec directory,
therefore I wonder where the problem ist... But I guess a strip down binary
version of tar together with a striped down binary version of ls (both
static) would be a nice idea to be included in wu-ftpd package.
Greetings
Bernd
--
(OO) -- Bernd_Eckenfels@Wittumstrasse13.76646Bruchsal.de --
( .. ) ecki@{lina.inka.de,linux.de} http://home.pages.de/~eckes/
o--o *plush* 2048/A2C51749 eckes@irc +4972573817 *plush*
(O____O) If privacy is outlawed only Outlaws have privacy
Reply to: