Caldera Unknown

Notified:  November 27, 2001 Updated: December 04, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Conectiva Affected

Updated:  December 04, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : wu-ftpd SUMMARY : Additional format string fixes for wu-ftpd DATE : 2001-11-30 19:02:00 ID : CLA-2001:443 RELEVANT RELEASES : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0 DESCRIPTION "wu-ftpd" is one of the ftp servers shipped with Conectiva Linux and many other distributions. This is a follow-up to the CLSA-2001:442 announcement, where a critical security problem was fixed. The wu-ftpd developers now released[1] an official fix for that problem, but with two additional corrections: - format string fixes: some new format string bugs have been patched; - additional checks: null-pointer checks have been added to some parts of the code. These two new fixes, as well as another one related to PASV mode[2] (not security related), have been applied to the updated packages presented through this advisory. SOLUTION It is recommended that all wu-ftpd users apply the update. REFERENCES 1.ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/ftpglob.patch 2.ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/pasv-port-allow-correction.patch DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/wu-ftpd-2.6.1-6U51_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/wu-ftpd-2.6.1-6U51_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/wu-ftpd-2.6.1-6U60_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/wu-ftpd-2.6.1-6U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/wu-ftpd-2.6.1-6U70_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/wu-ftpd-2.6.1-6U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8B/Z442jd0JmAcZARAhwpAKCtq6his3yR1Yksy06W9aYHIIshRQCfXZL8 3TruJyx+gGBN0uXkCt4bIdA= =hB4B -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Affected

Notified:  November 27, 2001 Updated: December 04, 2001

Status

Affected

Vendor Statement

Debian released Debian Security Advisory DSA-016 in January 2001.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Fujitsu Not Affected

Notified:  November 27, 2001 Updated: November 30, 2001

Status

Not Affected

Vendor Statement

Regarding VU#886083 and VU#639760 (WU-FTPD vulnerabilities), UXP/V is not vulnerable, because UXP/V does not support WU-FTPD.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NcFTP Software Not Affected

Notified:  November 27, 2001 Updated: November 30, 2001

Status

Not Affected

Vendor Statement

All versions of NcFTPd Server are not vulnerable to the problems described by VU#886083 and VU#639760.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI Not Affected

Notified:  November 27, 2001 Updated: November 27, 2001

Status

Not Affected

Vendor Statement

SGI does not ship IRIX with WU-FTPd, so IRIX is not vulnerable to these issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Not Affected

Notified:  November 27, 2001 Updated: November 30, 2001

Status

Not Affected

Vendor Statement

Sun does not ship WU-FTPD, thus Solaris is not affected by these issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

WU-FTPD Development Group Affected

Notified:  November 22, 2001 Updated: November 30, 2001

Status

Affected

Vendor Statement

WU-FTPD has released a patch in July 2000 that addresses this issue in WU-FTPD 2.6.1:

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/missing_format_strings.patch
WU-FTPD 2.6.2 is available and addresses this issue:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.