Washington University Information for VU#426273

KTH Kerberos filesystem race condition on tickets stored in /tmp


Unknown. If you are the vendor named above, please contact us to update your status.

Vendor Statement

WU-FTPD 2.6.1 supports Kerberos in one of two ways:

  • Via PAM: in which case we defer any statement of vulnerability to the PAM maintainers.
  • Via direct calls: in which case we are probably as vulnerable as any other service using Kerberos for user authentication.
For WU-FTPD systems using Kerberos, especially those which do not use shared libraries, I would recommend re-compiling (specifically, re-linking) the daemon to ensure an updated Kerberos runtime is used.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.