[15573] in bugtraq
Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)
daemon@ATHENA.MIT.EDU (Hugo.van.der.Kooij@CAIW.NL)
Fri Jun 30 17:50:33 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10006300811081.842-100000@bastion.hugo.vanderkooij.org>
Date: Fri, 30 Jun 2000 08:13:26 +0200
Reply-To: Hugo.van.der.Kooij@CAIW.NL
From: Hugo.van.der.Kooij@CAIW.NL
X-To: Joey Maier <maierj@HOME.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSO.4.21.0006291001180.25731-100000@www.slothnet.com>
On Thu, 29 Jun 2000, Joey Maier wrote:
> >RHSA-2000:039-02: remote root exploit (SITE EXEC) fixed
> [...]
> >A security bug in wu-ftpd can permit remote users, even without
> >an account, to gain root access.
> >The new version closes the hole.
> >
> >2. Relevant releases/architectures:
> >
> >Red Hat Linux 5.2 - i386 alpha sparc
>
> (which includes wu-ftpd-2.4.2b18-2.i386.rpm)
>
> >Red Hat Linux 6.2 - i386 alpha sparc
>
> (which includes wu-ftpd-2.6.0-3.i386.rpm)
>
> What about Red Hat 6.0 (includes wu-ftpd-2.4.2vr17-3.i386.rpm) and
> 6.1 (includes wu-ftpd-2.5.0-9.i386.rpm)? I know that the sploit tf8
> released was for version 2.6.0, but earlier versions of wu-ftpd
> are vunerable, too. Does anyone know if Red Hat plans to release
> RPMs to fix the 2.5.0 version included in Red Hat 6.1?
You are supposed to use the latest fixes for your major release number. So
if you run 6.0 or 6.1 you must use the 6.2 fixes. So there IS a fix for
6.1 and 6.0 available.
Hugo.
--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland
hvdkooij@caiw.nl http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)
