MandrivaUsers.org > Security Advisory (MDKSA-2003:080): wu-ftpd

Full Version: Security Advisory (MDKSA-2003:080): wu-ftpd

MandrivaUsers.org > Announcements > Mandriva Security Advisories

aru

Jul 31 2003, 05:41 PM

MandrakeSoft Security Advisory MDKSA-2003:080 : wu-ftpd

July 31st, 2003
Updated wu-ftpd packages fix remote root vulnerability

A vulnerability was discovered by Janusz Niewiadomski and Wojciech Purczynski in the wu-ftpd FTP server package. They found an off-by- one bug in the fb_realpath() function which could be used by a remote attacker to obtain root privileges on the server. This bug can only be successfully accomplished by using wu-ftpd binaries compiled on Linux 2.0.x and later 2.4.x kernels because the 2.2.x and earlier 2.4.x kernels define PATH_MAX to be 4095 characters.

wu-ftpd is no longer shipped with Mandrake Linux, however Mandrake Linux 8.2 did come with wu-ftpd. If you use wu-ftpd, you are encouraged to upgrade to these patched packages.

The released versions of Mandrake GNU/Linux affected are:[list]
Full information about this advisory, including the updated packages, is available at:
www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:080

Other references:
http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0466

[size=9]Posted automatically by aru (mdksec2mub v0.0.6)

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.