Date: Fri, 29 Sep 2000 11:28:34 -0700 (PDT) To: slackware-security@slackware.com Subject: [slackware-security] wu-ftpd advisory update ****** UPDATE: This announcement was first mailed out on 28-Sep-2000. It was later determined that incorrect 16-bit sums and 128-bit MD5 message digests were included in the announcement. The announcement below is identical to the one from yesterday, but it includes the correct verification data. We apologize for the inconvenience. ****** A vulnerability involving an input validation error in the "site exec" command has recently been identified in the wu-ftpd program (CERT Advisory CA-2000-13). More information about this problem can be found at this site: http://www.cert.org/advisories/CA-2000-13.html The wu-ftpd daemon is part of the tcpip1.tgz package in the N series. A new tcpip1.tgz package is now available in the Slackware -current tree. All users of Slackware 7.0, 7.1, and -current are stronly urged to upgrade to the new tcpip1.tgz package. For users of Slackware 4.0, a wuftpd.tgz patch package is being provided in the /patches tree of Slackware 4.0. ========================================= wu-ftpd 2.6.1 AVAILABLE - (n1/tcpip1.tgz) ========================================= FOR USERS OF SLACKWARE 7.0, 7.1, and -current: --------------------------------------------- The recent vulnerability in wu-ftpd can be fixed by upgrading to the new tcpip1.tgz package. This package upgrades the wu-ftpd server to version 2.6.1. You can download it from the -current branch: ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/tcpip1 .tgz All users of Slackware 7.0, 7.1, and -current are strongly urged to upgrade to the tcpip1.tgz package to fix the vulnerability in wu-ftpd. For verification purposes, we provide the following checksums: 16-bit "sum" checksum: 45865 995 128-bit MD5 message digest: 2ffec28ac4b9de34d5899f7cd88cc5c3 n1/tcpip1.tgz Installation instructions for the tcpip1.tgz package: If you have downloaded the new tcpip1.tgz package, you should bring the system into runlevel 1 and run upgradepkg on it: # telinit 1 # upgradepkg tcpip1.tgz # telinit 3 FOR USERS OF SLACKWARE 4.0: -------------------------- The recent vulnerability in wu-ftpd can be fixed by installing the wuftpd.tgz patch package. This package upgrades the wu-ftpd server to version 2.6.1. You can download it from the Slackware 4.0 branch: ftp://ftp.slackware.com/pub/slackware/slackware-4.0/patches/wuftpd.tgz All users of Slackware 4.0 are strongly urged to install the wuftpd.tgz patch package to fix the vulnerability in wu-ftpd. For verification purposes, we provide the following checksums: 16-bit "sum" checksum: 06607 105 128-bit MD5 message digest: 75547b1762d7ff4fad233cd89529ff2c wuftpd.tgz Installation instructions for the wuftpd.tgz package: If you have downloaded the wuftpd.tgz patch package, you should bring the system into runlevel 1 and run installpkg on it: # telinit 1 # installpkg wuftpd.tgz # telinit 3 Remember, it's also a good idea to backup configuration files before upgrading packages. - Slackware Linux Security Team http://www.slackware.com