[9539] in bugtraq

home help back first fref pref prev next nref lref last post

palmetto.ftpd vulnerability clarification.

daemon@ATHENA.MIT.EDU (Jordan Ritter)
Fri Feb 12 21:28:40 1999

Date: 	Fri, 12 Feb 1999 15:49:05 -0500
Reply-To: Jordan Ritter <jpr5@NETECT.COM>
From: Jordan Ritter <jpr5@NETECT.COM>
To: BUGTRAQ@NETSPACE.ORG

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Folks,

	I have received several emails from various engineering groups
with concerns over ambiguity in Appendix B's (OS Vendors) vulnerability
information.  Specifically, some find it unclear as to whether or not
machines are vulnerable running wu-ftpd or proftpd even though their
Vendor reported the operating system as not vulnerable.

To clarify, the specific versions of wu-ftpd and ProFTPD described in the
advisory ARE vulnerable to the palmetto bug on any operating system.  The
Vendor responses detailed in Appendix B were essentially verification of
whether or not the vulnerable software in question was packaged by default
with their operating system.

Any OS listed in Appendix B as NOT vulnerable indicates that:

   1. an installation of the OS does not include the vulnerable software
       in question, and
   2. the default FTP server that _is_ included in the installation is not
       vulnerable to this large pathname attack.



Regards,


Jordan Ritter
Network Security Engineer
Netect, Inc.  Boston, MA

"Quis custodiet ipsos custodes?"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.2 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE2xJPE+siuashk00ERArWIAJ4ppDvEFF9TAxyJMowBcjJGtiPmewCgiNzS
CDsX44Zpierz7f2f0BR81Bs=
=fxYQ
-----END PGP SIGNATURE-----

home help back first fref pref prev next nref lref last post