From:	 secure@conectiva.com.br
To:	 conectiva-updates@papaleguas.conectiva.com.br,
	 linsec@lists.seifried.org, lwn@lwn.net, bugtraq@securityfocus.com,
	 security-alerts@linuxsecurity.com
Subject: [CLA-2001:443] Conectiva Linux Security Announcement - wu-ftpd
Date:	 Fri, 30 Nov 2001 19:13:29 -0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : wu-ftpd
SUMMARY   : Additional format string fixes for wu-ftpd
DATE      : 2001-11-30 19:02:00
ID        : CLA-2001:443
RELEVANT
RELEASES  : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
 "wu-ftpd" is one of the ftp servers shipped with Conectiva Linux and
 many other distributions.
 
 This is a follow-up to the CLSA-2001:442 announcement, where a
 critical security problem was fixed. The wu-ftpd developers now
 released[1] an official fix for that problem, but with two additional
 corrections:
 - format string fixes: some new format string bugs have been
 patched;
 - additional checks: null-pointer checks have been added to some
 parts of the code.
 
 These two new fixes, as well as another one related to PASV mode[2]
 (not security related), have been applied to the updated packages
 presented through this advisory.


SOLUTION
 It is recommended that all wu-ftpd users apply the update.
 
 
 REFERENCES
 1.ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/ftpglob.patch
 2.ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/pasv-port-allow-correction.patch


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/wu-ftpd-2.6.1-6U51_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/wu-ftpd-2.6.1-6U51_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/wu-ftpd-2.6.1-6U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/wu-ftpd-2.6.1-6U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/wu-ftpd-2.6.1-6U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/wu-ftpd-2.6.1-6U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/wu-ftpd-2.6.1-6U50_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/wu-ftpd-2.6.1-6U50_2cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8B/Z442jd0JmAcZARAhwpAKCtq6his3yR1Yksy06W9aYHIIshRQCfXZL8
3TruJyx+gGBN0uXkCt4bIdA=
=hB4B
-----END PGP SIGNATURE-----