Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug
From: Robert Watson (rwatson_at_freebsd.org)
Date: 07/31/03
- Previous message: Mike Tancsa: "Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug"
- In reply to: John Fox: "Wu-ftpd FTP server contains remotely exploitable off-by-one bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 31 Jul 2003 15:19:24 -0400 (EDT) To: John Fox <jjf@mind.net>
On Thu, 31 Jul 2003, John Fox wrote:
> I see in BugTraq that there's yet another problem with Wu-ftpd, but I
> see no mention of it in the freebsd-security mailing list archives...I
> have searched the indexes from all of June and July.
>
> Wu is pretty widely used, so I'm surprised that nobody seems to have
> mentioned this problem in this forum.
>
> The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no
> reason to assume that FreeBSD machines aren't vulnerable, too. Which is
> why I am confused as to the lack of discussion of this matter.
>
> Can anyone shed some light on this?
I can't speak to specifically why there hasn't been an advisory of some
sort for this specific vulnerability, but I can say that the primary
reason why wu-ftpd issues don't get much discussion on FreeBSD lists
compared to Linux lists is that the default FTP server in FreeBSD isn't
wu-ftpd, unlike many Linux distributions. It's considered a third party
software package, which means it will generally be covered in ports
security notices, as opposed to FreeBSD security advisories. In the past,
a number of vulnerabilities in various FTP packages have been associated
with bugs in library code, not in the FTP daemon itself -- for example, at
least one or two cases were associates with the libc glob code. This can
also affect whether a vulnerability applies on all OS's, or just a few.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org Network Associates Laboratories
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Mike Tancsa: "Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug"
- In reply to: John Fox: "Wu-ftpd FTP server contains remotely exploitable off-by-one bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
