Fwd: [suse-security-announce] SuSE Security Announcement: wuftpd (SuSE-SA:2001:043)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi
I am a newbie to this list, so please forgive if something may be a
FAQ.
First of all I want to forward a Security Announcement. Since I run
wuftpd on some server I'd like to know if I am vulnerable with debian
(2.2r4) too.
Is there a place where to find pending issues for debian?
Thanks
Hendrik Naumann
- ---------- Weitergeleitete Nachricht ----------
Subject: [suse-security-announce] SuSE Security Announcement: wuftpd
(SuSE-SA:2001:043)
Date: Wed, 28 Nov 2001 23:55:25 +0100 (MET)
From: Roman Drahtmueller <draht@suse.de>
To: <suse-security-announce@suse.com>
- -----BEGIN PGP SIGNED MESSAGE-----
_____________________________________________________________________
_________
SuSE Security Announcement
Package: wuftpd
Announcement-ID: SuSE-SA:2001:043
Date: Wednesday, Nov. 28th, 2001 23:45 MET
Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3
Vulnerability Type: remote root compromise
Severity (1-10): 7
SuSE default package: no
Other affected systems: all liunx-like systems using wu-ftpd
2.4.x / 2.6.0 / 2.6.1
Content of this advisory:
1) security vulnerability resolved: wuftpd
problem description, discussion, solution and upgrade
information 2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
_____________________________________________________________________
_________
1) problem description, brief discussion, solution, upgrade
information
The wuftpd package as shipped with SuSE Linux distributions comes
with two versions of wuftpd: wuftpd-2.4.2, installed as
/usr/sbin/wuftpd, and wuftpd-2.6.0, installed as
/usr/sbin/wuftpd-2.6.
The admin decides which version to use by the inetd/xinetd
configuration.
The CORE ST Team had found an exploitable bug in all versions of
wuftpd's ftpglob() function.
The glob function overwrites buffer bounds while matching open
and closed brackets. Due to a missing \0 at the end of the buffer a
later call to a function that frees allocated memory will feed
free(3) with userdefined data. This bug could be exploited depending
on the implementation of the dynmaic allocateable memory API
(malloc(3), free(3)) in the libc library. Linux and other system are
exploitable!
Some weeks ago, an internal source code audit of wu-ftpd 2.6.0
performed by Thomas Biege, SuSE Security, revealed some other
security related bugs that are fixed in the new RPM packages.
Additionally, code from wu-ftpd 2.6.1 were backported to version
2.6.0 to make it more stable.
A temporary fix other than using a different server
implementation of the ftp protocol is not available. We recommend to
update the wuftpd package on your system.
We thank the wuftpd team for their work on the bug, particularly
because the coordination between the vendors and the wuftpd
developers lacked the necessary discipline for the timely release of
the information about the problem.
Please download the update package for your distribution and
verify its integrity by the methods listed in section 3) of this
announcement. Then, install the package using the command "rpm -Uhv
file.rpm" to apply the update.
- -- SNIP --
...
- -- SNIP --
_____________________________________________________________________
_________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- ssh/openssh exploits
The wrong fix for the crc32-compensation attack is currently
actively exploited in the internet for both the ssh and the openssh
implementation of the ssh-1 protocol.
We urge our users to upgrade their ssh or openssh packages to
the latest versions that are located on our ftp server at the usual
directories, referred to via
http://www.suse.de/de/support/security/adv004_ssh.txt from
February earlier this year.
Please note, the packages for the SuSE Linux distributions 7.0
and older containing cryptographic code are located on the German
ftp server ftp.suse.de, the distributions 7.1 and newer have their
crypto updates on ftp.suse.com. There are legal constraints beyond
our control that lead to this situation.
Openssh packages of the version 2.9.9p2 ready to download on
the ftp server ftp.suse.com. They fix the security problems
mentioned above, along with a set of less serious security problems.
The announcement is still pending while investigations about
the status of the package are in progress.
- libgtop_daemon
The libgtop_daemon, part of the libgtop package for gathering
and monitoring process and system information, has been found
vulnerable to a format string error. We are in the process of
providing fixes for the affected distributions 6.4-7.3. In the
meanwhile, we recommend to disable the libgtop_daemon on systems
where it is running. This daemon is neither installed nor started
(if installed) by default on SuSE Systems.
- kernel updates
A bug in the elf loader of the linux kernels version 2.4 from
our announcement SSA:2001:036 can cause a system to crash if a user
executes a vmlinux kernel image. We are preparing another update
series to workaround this problem and will re-issue the kernel
announcement as soon as possible.
- -------------------------------------------------------
- --
PGP ID 21F0AC0265C92061
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8BhTmIfCsAmXJIGERAlL/AJ9MORBztBKK7TASCSenOLtsUpxTXQCfWnrN
8YQ1SWtOUqdyUvy3Yj7woHc=
=K4u5
-----END PGP SIGNATURE-----
Reply to: