Re: wu-ftp vulnerability

To: greg@orthogony.com
Cc: debian-user@lists.debian.org
Subject: Re: wu-ftp vulnerability
From: John Griffiths <john@capmon.com>
Date: Thu, 29 Nov 2001 16:38:52 +1100
Message-id: <[🔎] 3.0.5.32.20011129163852.03cde100@mailhost.capmon.com>
In-reply-to: <[🔎] 20011128213602.A296@homedeb.orthogony.net>
References: <[🔎] 3.0.5.32.20011129123513.039df330@mailhost.capmon.com> <[🔎] 000d01c17874$61a00120$0464b10a@orthogony.net> <[🔎] 3.0.5.32.20011129123513.039df330@mailhost.capmon.com>

At 09:36 PM 11/28/01 -0800, greg@orthogony.com wrote:
>> Thu, Nov 29, 2001 at 12:35:13PM +1100, John Griffiths wrote:
>> At 05:22 PM 11/28/01 -0800, Greg Wiley wrote:
>
>> >http://www.securityfocus.com/archive/1/242750
>> >Debian 2.2 is on the list.
>> 
>> Does this effect wu-ftpd's that don't allow anonymous access?
>> 
>> i.e. if only user's can log on, and I trust my users, can 
>> I stop stressing about it until the fixed version is available?
>
>The way I understand it is that it has to do with
>file globbing so in order to exploit, an attacker
>would have to log in.  So if anon is off and none
>of your users are baddies, maybe you're ok (al-
>though an unauthorized person might somehow know
>a legitimate authpair).
>

Thats a load off my mind,

I'll be updating as soon as it's available and I'm willing to work with
that risk level for a day or so.

Thank you very much.

Reply to:

References:
- Re: wu-ftp vulnerability
  - From: John Griffiths <john@capmon.com>
- wu-ftp vulnerability
  - From: "Greg Wiley" <greg@orthogony.com>
- Re: wu-ftp vulnerability
  - From: greg@orthogony.com

Prev by Date: increasing max # of email addresses/page with mailman
Next by Date: Getting an older package
Previous by thread: Re: wu-ftp vulnerability
Next by thread: mouse freezes in X
Index(es):
- Date
- Thread