Bugtraq mailing list archives
palmetto.ftpd vulnerability clarification.
From: jpr5 () NETECT COM (Jordan Ritter)
Date: Fri, 12 Feb 1999 15:49:05 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, I have received several emails from various engineering groups with concerns over ambiguity in Appendix B's (OS Vendors) vulnerability information. Specifically, some find it unclear as to whether or not machines are vulnerable running wu-ftpd or proftpd even though their Vendor reported the operating system as not vulnerable. To clarify, the specific versions of wu-ftpd and ProFTPD described in the advisory ARE vulnerable to the palmetto bug on any operating system. The Vendor responses detailed in Appendix B were essentially verification of whether or not the vulnerable software in question was packaged by default with their operating system. Any OS listed in Appendix B as NOT vulnerable indicates that: 1. an installation of the OS does not include the vulnerable software in question, and 2. the default FTP server that _is_ included in the installation is not vulnerable to this large pathname attack. Regards, Jordan Ritter Network Security Engineer Netect, Inc. Boston, MA "Quis custodiet ipsos custodes?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v0.9.2 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE2xJPE+siuashk00ERArWIAJ4ppDvEFF9TAxyJMowBcjJGtiPmewCgiNzS CDsX44Zpierz7f2f0BR81Bs= =fxYQ -----END PGP SIGNATURE-----
Current thread:
- SECURITY: new wu-ftpd packages available (fwd), (continued)
- SECURITY: new wu-ftpd packages available (fwd) RHS Linux User (Feb 09)
- Re: SECURITY: new wu-ftpd packages available (fwd) Ronald Wahl (Feb 10)
- Pro/wuFTPD DoS (Was: Re: SECURITY: new wu-ftpd packages available Ken Williams (Feb 11)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Nick Lamb (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 10)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Billy Naylor (Feb 12)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 12)
- Applets listening on Sockets in Java Tim Wright (Feb 12)
- Applets listening on Sockets in Java Lincoln Stein (Feb 13)
- Re: Applets listening on Sockets in Java Tim Wright (Feb 15)
- palmetto.ftpd vulnerability clarification. Jordan Ritter (Feb 12)
- Microsoft Security Bulletin (MS99-005) aleph1 () UNDERGROUND ORG (Feb 12)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Michael Nelson (Feb 12)