Washington University Information for VU#602625

KTH Kerberos environment variables krb4proxy and KRBCONFDIR may be used insecurely


Unknown. If you are the vendor named above, please contact us to update your status.

Vendor Statement

WU-FTPD 2.6.1 supports Kerberos in one of two ways:

    • Via PAM: in which case we defer any statement of vulnerability to the PAM maintainers.
    • Via direct calls: in which case we are probably as vulnerable as any other service using Kerberos for user authentication.
    For WU-FTPD systems using Kerberos, especially those which do not use shared libraries, I would recommend re-compiling (specifically, re-linking) the daemon to ensure an updated Kerberos runtime is used.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Vendor References



    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.