Washington University Information for VU#426273
KTH Kerberos filesystem race condition on tickets stored in /tmp
Unknown. If you are the vendor named above, please contact us to update your status.
WU-FTPD 2.6.1 supports Kerberos in one of two ways:
- Via PAM: in which case we defer any statement of vulnerability to the PAM maintainers.
- Via direct calls: in which case we are probably as vulnerable as any other service using Kerberos for user authentication.
For WU-FTPD systems using Kerberos, especially those which do not use shared libraries, I would recommend re-compiling (specifically, re-linking) the daemon to ensure an updated Kerberos runtime is used.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.