[496] in linux-security and linux-alert archive
Re: CERT and wu-ftpd advisory
daemon@ATHENA.MIT.EDU (Jonathan A. Davis)
Sun Dec 3 17:59:19 1995
Date: Sat, 2 Dec 1995 22:10:10 -0600 (CST)
From: "Jonathan A. Davis" <jonathan@evergreen.cc.usm.edu>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.SUN.3.91.951130133605.6035A-100000@dfw.net>
On Thu, 30 Nov 1995, Aleph One wrote:
> My god. This is so discusting. CERT has just released and advisory
> on the wu-ftpd vulnerability that was discussed here.. what? 6 months ago?
> I mean with a problem some simple, that has been discussed to death is
> takes them 6 months to responde? I wonder who long it takes for an
> undisclosed complex security bug to have an advisory... prob like a year
> and a half.
[Mod: Quoting trimmed. --Jeff.]
I agree that the "lag" time seems somewhat excessive. It would help to
know when CERT was actually first notified.
CERT's first advisory concerning a "SITE EXEC" problem was part of
"CA-94:08.ftpd.vulnerabilities". It is not directly related to the
current security problem although some confusion (particularly with
respect to vulnerable wu-ftp versions) may have resulted from it.
------------------------------snip--------------------------------
CA-94:08.ftpd.vulnerabilities 04/14/94
This advisory addresses two vulnerabilities with some releases of
fptd and announces new versions and patches to correct these
problems. ftpd versions affected are wuarchive ftpd 2.0-2.3,
DECWRL ftpd versions prior to 5.93, and BSDI ftpd version 1.1
prior to patch level 5. The vulnerabilities addressed are the
SITE EXEC and race condition vulnerabilities.
------------------------------snip--------------------------------
BTW, has anyone experienced an actual security breach due to this bug?
Thankfully, we were not affected. Or, (as happens so often with security
anyway) if we were, I don't know about it. ;-)
-Jonathan _ _
------------------------------------------------------------->>>>>>>>-(o)(o)---
Jonathan A. Davis | Academic Systems Analyst | Hattiesburg/Gulf Park/Stennis
USM Computing Center | Box 5171 | (601) 266-4103 | davis@evergreen.cc.usm.edu
http://www.usm.edu/jonathan/home.html | finger jonathan@evergreen for PGP key
