Slackware Security Advisories
Slackware Logo

News

Security Advisories

FAQ

Book

General Info

Get Slack

Install Help

Configuration

Packages

ChangeLogs

Propaganda

Ports

Other Sites

Support

Contact

Mailing Lists

About

 
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] wu-ftpd advisory update
Date: Fri, 29 Sep 2000 11:28:34 -0700 (PDT)
******
UPDATE:  This announcement was first mailed out on 28-Sep-2000.  It was
later determined that incorrect 16-bit sums and 128-bit MD5 message
digests were included in the announcement.  The announcement below is
identical to the one from yesterday, but it includes the correct
verification data.  We apologize for the inconvenience.
******


A vulnerability involving an input validation error in the "site exec"
command has recently been identified in the wu-ftpd program (CERT Advisory
CA-2000-13).  More information about this problem can be found at this site:

   http://www.cert.org/advisories/CA-2000-13.html

The wu-ftpd daemon is part of the tcpip1.tgz package in the N series.  A
new tcpip1.tgz package is now available in the Slackware -current tree.
All users of Slackware 7.0, 7.1, and -current are stronly urged to upgrade
to the new tcpip1.tgz package.

For users of Slackware 4.0, a wuftpd.tgz patch package is being provided
in the /patches tree of Slackware 4.0.


=========================================
wu-ftpd 2.6.1 AVAILABLE - (n1/tcpip1.tgz)
=========================================

   FOR USERS OF SLACKWARE 7.0, 7.1, and -current:
   ---------------------------------------------

   The recent vulnerability in wu-ftpd can be fixed by upgrading to the
   new tcpip1.tgz package.  This package upgrades the wu-ftpd server to
   version 2.6.1.  You can download it from the -current branch:

      ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/tcpip1.tgz

   All users of Slackware 7.0, 7.1, and -current are strongly urged to 
   upgrade to the tcpip1.tgz package to fix the vulnerability in wu-ftpd.

   For verification purposes, we provide the following checksums:

      16-bit "sum" checksum:
      45865   995

      128-bit MD5 message digest:
      2ffec28ac4b9de34d5899f7cd88cc5c3  n1/tcpip1.tgz

   Installation instructions for the tcpip1.tgz package:

      If you have downloaded the new tcpip1.tgz package, you should bring
      the system into runlevel 1 and run upgradepkg on it:

         # telinit 1
         # upgradepkg tcpip1.tgz
         # telinit 3



   FOR USERS OF SLACKWARE 4.0:
   --------------------------
   
   The recent vulnerability in wu-ftpd can be fixed by installing the
   wuftpd.tgz patch package.  This package upgrades the wu-ftpd server
   to version 2.6.1.  You can download it from the Slackware 4.0 branch:

      ftp://ftp.slackware.com/pub/slackware/slackware-4.0/patches/wuftpd.tgz

   All users of Slackware 4.0 are strongly urged to install the wuftpd.tgz
   patch package to fix the vulnerability in wu-ftpd.

   For verification purposes, we provide the following checksums:

      16-bit "sum" checksum:
      06607   105

      128-bit MD5 message digest:
      75547b1762d7ff4fad233cd89529ff2c  wuftpd.tgz

   Installation instructions for the wuftpd.tgz package:

      If you have downloaded the wuftpd.tgz patch package, you should bring
      the system into runlevel 1 and run installpkg on it:

         # telinit 1
         # installpkg wuftpd.tgz
         # telinit 3


Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
  http://www.slackware.com


Slackware™ is a trademark of Patrick Volkerding.