WU-FTPD Security Advisory

Upgraded WU-FTPD packages are available for Slackware 9.0 and

• -current. These fix a problem where an attacker could use a
  specially crafted filename in conjunction with WU-FTPD’s
  conversion feature (mostly used to compress files, or produce tar
  archives) to execute arbitrary commands on the server.

In addition, a MAIL_ADMIN which has been found to be insecure has
been disabled.

We do not recommend deploying WU-FTPD in situations where security
is required.

Here are the details from the Slackware 9.0 ChangeLog:

Tue Sep 23 14:43:10 PDT 2003
pasture/dontuse/wu-ftpd/wu-ftpd-2.6.2-i486-3.tgz: Fixed a security problem in
/etc/ftpconversions (CVE-1999-0997). There’s also another hole in wu-ftpd
which may be triggered if the MAIL_ADMIN feature (notifies the admin of
anonymous uploads) is used, so MAIL_ADMIN has been disabled in this build.
Also note that we’ve moved this from /pasture to /pasture/dontuse, which
should tell you something.
(* Security fix *)

WHERE TO FIND THE NEW PACKAGES:

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/pasture/dontuse/wu-ftpd/wu-ftpd-2.6.2-i386-3.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/pasture/dontuse/wu-ftpd/wu-ftpd-2.6.2-i486-3.tgz

MD5 SIGNATURES:

Slackware 9.0 package:
2585e5eb265708d0f74b7f00325aaf9f wu-ftpd-2.6.2-i386-3.tgz

Slackware -current package:
fa6d5af10336187de5b84e5bb6b11a39 wu-ftpd-2.6.2-i486-3.tgz

INSTALLATION INSTRUCTIONS:

Upgrade using upgradepkg (as root):
> upgradepkg wu-ftpd-2.6.2-i386-3.tgz