|
|
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] wu-ftpd advisory update
Date: Fri, 29 Sep 2000 11:28:34 -0700 (PDT) |
|
******
UPDATE: This announcement was first mailed out on 28-Sep-2000. It was
later determined that incorrect 16-bit sums and 128-bit MD5 message
digests were included in the announcement. The announcement below is
identical to the one from yesterday, but it includes the correct
verification data. We apologize for the inconvenience.
******
A vulnerability involving an input validation error in the "site exec"
command has recently been identified in the wu-ftpd program (CERT Advisory
CA-2000-13). More information about this problem can be found at this site:
http://www.cert.org/advisories/CA-2000-13.html
The wu-ftpd daemon is part of the tcpip1.tgz package in the N series. A
new tcpip1.tgz package is now available in the Slackware -current tree.
All users of Slackware 7.0, 7.1, and -current are stronly urged to upgrade
to the new tcpip1.tgz package.
For users of Slackware 4.0, a wuftpd.tgz patch package is being provided
in the /patches tree of Slackware 4.0.
=========================================
wu-ftpd 2.6.1 AVAILABLE - (n1/tcpip1.tgz)
=========================================
FOR USERS OF SLACKWARE 7.0, 7.1, and -current:
---------------------------------------------
The recent vulnerability in wu-ftpd can be fixed by upgrading to the
new tcpip1.tgz package. This package upgrades the wu-ftpd server to
version 2.6.1. You can download it from the -current branch:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/tcpip1.tgz
All users of Slackware 7.0, 7.1, and -current are strongly urged to
upgrade to the tcpip1.tgz package to fix the vulnerability in wu-ftpd.
For verification purposes, we provide the following checksums:
16-bit "sum" checksum:
45865 995
128-bit MD5 message digest:
2ffec28ac4b9de34d5899f7cd88cc5c3 n1/tcpip1.tgz
Installation instructions for the tcpip1.tgz package:
If you have downloaded the new tcpip1.tgz package, you should bring
the system into runlevel 1 and run upgradepkg on it:
# telinit 1
# upgradepkg tcpip1.tgz
# telinit 3
FOR USERS OF SLACKWARE 4.0:
--------------------------
The recent vulnerability in wu-ftpd can be fixed by installing the
wuftpd.tgz patch package. This package upgrades the wu-ftpd server
to version 2.6.1. You can download it from the Slackware 4.0 branch:
ftp://ftp.slackware.com/pub/slackware/slackware-4.0/patches/wuftpd.tgz
All users of Slackware 4.0 are strongly urged to install the wuftpd.tgz
patch package to fix the vulnerability in wu-ftpd.
For verification purposes, we provide the following checksums:
16-bit "sum" checksum:
06607 105
128-bit MD5 message digest:
75547b1762d7ff4fad233cd89529ff2c wuftpd.tgz
Installation instructions for the wuftpd.tgz package:
If you have downloaded the wuftpd.tgz patch package, you should bring
the system into runlevel 1 and run installpkg on it:
# telinit 1
# installpkg wuftpd.tgz
# telinit 3
Remember, it's also a good idea to backup configuration files before
upgrading packages.
- Slackware Linux Security Team
http://www.slackware.com
|
| |