Conectiva Information for VU#639760

WU-FTPD configured to use RFC 931 authentication running in debug mode contains format string vulnerability

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE   : wu-ftpd
SUMMARY   : Additional format string fixes for wu-ftpd
DATE      : 2001-11-30 19:02:00
ID        : CLA-2001:443
RELEVANT
RELEASES  : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
"wu-ftpd" is one of the ftp servers shipped with Conectiva Linux and
many other distributions.

 This is a follow-up to the CLSA-2001:442 announcement, where a
critical security problem was fixed. The wu-ftpd developers now
released[1] an official fix for that problem, but with two additional
corrections:
- format string fixes: some new format string bugs have been
patched;
- additional checks: null-pointer checks have been added to some
parts of the code.

 These two new fixes, as well as another one related to PASV mode[2]
(not security related), have been applied to the updated packages
presented through this advisory.


SOLUTION
It is recommended that all wu-ftpd users apply the update.


 REFERENCES
1.ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/ftpglob.patch
2.ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/pasv-port-allow-correction.patch


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/wu-ftpd-2.6.1-6U51_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/wu-ftpd-2.6.1-6U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/wu-ftpd-2.6.1-6U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/wu-ftpd-2.6.1-6U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/wu-ftpd-2.6.1-6U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/wu-ftpd-2.6.1-6U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm


ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
  (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
- after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8B/Z442jd0JmAcZARAhwpAKCtq6his3yR1Yksy06W9aYHIIshRQCfXZL8
3TruJyx+gGBN0uXkCt4bIdA=
=hB4B
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.