WU-FTPD

[J.E.J. op den Brouw]

Hi,

Does anyone know if the wu-ftp-2.6.0-14.6x package suffers from the
vulnerability that was in version 2.6.0 (SITE EXEC buffer overflow
exploit) or did redhat patch it with a fix?

--
--jesse
----------------------------------------------------------------------
J. op den brouw Johanna Westerdijkplein 75
Haagse Hogeschool 2521 EN DEN HAAG
Sector Techniek The Netherlands
Opleiding Elektrotechniek +31-70-4458936
----------------------------------------------------------------------
Linux - because reboots are for hardware changes

[the...@--x--houston.rr.com]

Actually the exploit depended on how ftpd was configured. I was not
open to the exploit, but upgraded to 2.6.1 for the new security
features and to avoid any potential problems.

Get the latest release v2.6.1. Compiling is quite simple, read the
INSTALL file. Replace your current binary.

http://www.wu-ftpd.org

If you download the precompiled binary, be warned that you will have
problems if you are running shadow passwords. The precompiled version
is not configured for PAM or shadow passwords.

After installing. Read the new manpages to learn how to tighten
security for your ftp server.
The features in " man ftpaccess " will add a few more security walls.

[J.E.J. op den Brouw]

Thanx, this is what I did.........

RH70 beta has a wu-ftpd-2.6.1-5.src.rpm
Download it and build upto the %build% phase (so
NO install),

then manually install the ftpd over /usr/bin/ftpd
Make a backup first.

Installing wu-ftpd-2.6.1-5.i386.rpm will fail because
of dependencies....

In any case, is seems to work.

[J.E.J. op den Brouw]

Hmm, after all, it seems not to work as
expected. The FTP daemon seems to hang
after an ls -al command....