Updated: October 11, 2000
Not Affected
Current versions of BSD/OS do not include any version of wu-ftpd. The BSDI ftpd is not vulnerable to the reported problems; it is not based on the wu-ftpd code. The version of ftpd in modern versions of BSD/OS is not vulnerable to the generic setproctitle() vulnerabilities.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Unknown
Please see CSSA-2000-020.0 regarding the wu-ftpd issue and OpenLinux: ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-020.0.txt Copyright © 2000 Caldera Systems, Inc.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Unknown
At the time of writing this document, this reported problem is currently still under evaluation by engineering to determine the requirement of a solution if necessary. COMPAQ will provide an update to this advisory accordingly.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Affected
Please see: http://www.securityfocus.com/templates/archive.pike?list =1&msg=20000623212826.A13925@conectiva.com.br
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Affected
Please see the following regarding the wu-ftpd "site exec" issue: http://www.debian.org/security/2000/20000623 Copyright © 1997-2000 SPI
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Not Affected
The version of ftpd shipped with all versions of FreeBSD since 2.2.0 is not vulnerable to this problem. FreeBSD also ships with several optional third-party FTP servers in the Ports Collection, including wu-ftpd and proftpd. The wu-ftpd vulnerability was corrected on 2000/06/24 and is the subject of FreeBSD Security Advisory SA-00:29. At this time no patch has been released by the proftpd vendor and the version in FreeBSD ports is still vulnerable to this attack. FreeBSD makes no guarantee about the security of third-party software in the ports collection and users are advised that there may be security vulnerabilities in other FTP servers available there.
The vendor has not provided us with any further information regarding this vulnerability.
An update to proftpd is now available.
Updated: October 11, 2000
Not Affected
Fujitsu's UXP/V operating system is not vulnerable to any of the vulnerabilities discussed in [this] advisory.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Affected
HP is vulnerable. Please see: HPSBUX0007-117: Sec. Vulnerability in ftpd, **Rev.01** HEWLETT-PACKARD COMPANY SECURITY ADVISORY: #00117, 11 July '00, Last Revised: 12 July '00 An excerpt: PROBLEM: The ftp server (ftpd) on HP-UX allows users root access. PLATFORM: HP-UX release 11.00 - Both Problem #1 and #2 below; HP-UX release 10.20 - Problem #2, setproctitle(), only DAMAGE: Unauthorized root access. SOLUTION: Install temporary binary until an official patch is released. AVAILABILITY: The temporary binary is available now (see below). A. Background There are 2 problems with FTP Server (ftpd) on HP-UX. ftpd handling of the SITE EXEC command that allows remote users to gain root access. This is possible in the default configuration of ftpd on HP-UX 11.00 ONLY. ftpd does not properly format the parameters to the setproctitle() function, allowing users to gain root access. This problem applies to both 11.00 and 10.X. B. Fixing the problem All system administrators are encouraged to install our temporary binary until an official patch is released. The file can be retrieved to simply replace the original factory supplied binary. C. Recommended solution Two temporary ftp binaries (for HP-UX 11.00 and HP-UX 10.20) can be found at: ftp://ftp.cup.hp.com/dist/networking/ftp/ftpd.11.0 ftp://ftp.cup.hp.com/dist/networking/ftp/ftpd.10.20 **Revised 01** --->>>These are to be installed in /usr/lbin/ftpd, with permissions 544. NOTE: This advisory [HPSBUX0007-117] will be updated when patches become available. Copyright © 2000 Hewlett-Packard Company
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Unknown
Please see the MANDRAKE 7.1 update section for wu-ftpd information at: http://www.linux-mandrake.com/en/fupdates.php3
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Not Affected
The IIS FTP service is not is not affected by these issues.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
It seems that the MIT Kerberos ftpd is based on BSD ftpd revision 5.40, and has never contained any serious format string related bugs for some reason. It is possible that by defining an undocumented CPP macro SETPROCTITLE, calls to setproctitle() can be made, however, there is an internally declared setproctitle() function that does not take a format string as its argument, and is hence not vulnerable.
Updated: October 11, 2000
Affected
Please see NetBSD Security Advisories NetBSD-SA2000-009 & NetBSD-SA2000-010: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-009.txt.asc ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-010.txt.asc Copyright © 2000, The NetBSD Foundation, Inc. All Rights Reserved.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Affected
The setproctitle bug is in OpenBSD. Please see: http://www.openbsd.org/errata.html#ftpd
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Not Affected
[...] None of my software [ftpd from my logdaemon utilities] has either the "site exec" or "setproctitle" features enabled. Wietse Venema mailto:wietse@porcupine.org
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Unknown
Upgrade to ProFTPD 1.2.0: http://www.proftpd.net/download.html Please see the discussion concerning setproctitle() at http://www.proftpd.org/proftpd-l-archive/00-07/msg00059.html http://www.proftpd.org/proftpd-l-archive/00-07/msg00060.html http://bugs.proftpd.net/show_bug.cgi?id=121 http://www.proftpd.net/security.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Unknown
Please see RHSA-2000-039-02 regarding the wu-ftpd issue: http://www.redhat.com/support/errata/RHSA-2000-039-02.html Copyright © 2000 Red Hat, Inc. All rights reserved.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Not Affected
IRIX ftpd is not vulnerable to the issues mentioned in this advisory. See ftp://sgigate.sgi.com/security/20000701-01-I for more information.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Unknown
Please see the patches made available regarding the wu-ftpd issue, at: ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/wu-ftpd-patch.README
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Not Affected
SISP FTPD is similar to wu-ftpd. SISP FTPD does not allow site exec nor does it use setproctitle(). Therefore, SISP FTPD does not appear to be vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Unknown
Please see SuSE Security Announcement #53 regarding the wu-ftpd issue, at: http://www.suse.de/de/support/security/suse_security_announce_53.txt
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: October 11, 2000
Affected
The WU-FTPD Development Group's primary distribution site is mirrored world-wide. A list of mirrors is available from: http://www.wu-ftpd.org/mirrors.txt If possible, please use a mirror to obtain patches or the latest version. Upgrade your version of wu-ftpd The latest release of wu-ftpd, version 2.6.1, has been released to address these and several other security issues: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc Apply a patch The wu-ftpd developers have published the following patch for wu-ftpd 2.6.0: ftp://ftp.wu-ftpd.org/pub/ wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch.asc
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.