SECURITY: proftpd, wu-ftpd, beroftpd errata updates

Subject: SECURITY: proftpd, wu-ftpd, beroftpd errata updates
From: Dan Burcaw (dburcaw@terraplex.com)
Date: Sun Aug 29 1999 - 22:26:58 MDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Dick Benster: "How eliminate video artifacts while drawing?"
• Previous message: mg: "YDL"

The Yellow Dog Linux Security Team has just released three packages which
fix recently discovered security vulnerabilities.

Packages: proftpd, wu-ftpd, beroftpd
Date: August 29, 1999
Problem:
Due to insufficient bounds checking on directory name lengths which can be
supplied by users, it is possible to overwrite the static memory space of
the ftp daemon while it is executing under certain configurations. By
having the ability to create directories and supplying carefully designed
directory names to the ftp server, users may gain privileged access. This
vulnerability may allow local & remote users to gain root privileges.
                         
Thanks goes out to the wu-ftpd development group and the members of
BugTraq for discovering and fixing this problem.

proftpd is the default FTP server installed with Yellow Dog Linux. You
only need to upgrade it unless you have manually installed either wu-ftpd
or beroftpd from the extras directory.
                         
Urgency: HIGH
Solution: rpm -Uvh <file>

ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.1/RPMS/proftpd-1.2.0pre3-2.ppc.rpm

OR

ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.1/extras/RPMS/wu-ftpd-2.5.0-2.ppc.rpm
                         
OR

ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.1/extras/RPMS/beroftpd-1.3.4-1.ppc.rpm
                         
Be sure to restart inetd once you have upgraded your ftp server. You can
do this by executing the following as root: /etc/rc.d/init.d/inet restart

Here are the md5 checksums of the update packages, please verify these
before installing the new packages by running: md5sum <file>

220b153493412610e4a18a182d737253 RPMS/proftpd-1.2.0pre3-2.ppc.rpm
de83eaf2620afe25e3d5104735f5c7de extras/RPMS/wu-ftpd-2.5.0-2.ppc.rpm
ef70b8d6c87aa7c201764f683d0106f2 extras/RPMS/beroftpd-1.3.4-1.ppc.rpm

Users of Champion Server 1.0 can also, and are strongly advised to upgrade
their ftp server.

More information can be found from our errata page at:
http://www.yellowdoglinux.com/resources/errata_cs11.shtml

Dan

Yellow Dog Linux for Apple G3 and PowerPC
  email: dburcaw@yellowdoglinux.com
  website: http://www.yellowdoglinux.com/

• Next message: Dick Benster: "How eliminate video artifacts while drawing?"
• Previous message: mg: "YDL"

This archive was generated by hypermail 2a24 : Sun Sep 05 1999 - 13:46:33 MDT