Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

palmetto.ftpd vulnerability clarification.

From: jpr5 () NETECT COM (Jordan Ritter)
Date: Fri, 12 Feb 1999 15:49:05 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Folks,

        I have received several emails from various engineering groups
with concerns over ambiguity in Appendix B's (OS Vendors) vulnerability
information.  Specifically, some find it unclear as to whether or not
machines are vulnerable running wu-ftpd or proftpd even though their
Vendor reported the operating system as not vulnerable.

To clarify, the specific versions of wu-ftpd and ProFTPD described in the
advisory ARE vulnerable to the palmetto bug on any operating system.  The
Vendor responses detailed in Appendix B were essentially verification of
whether or not the vulnerable software in question was packaged by default
with their operating system.

Any OS listed in Appendix B as NOT vulnerable indicates that:

   1. an installation of the OS does not include the vulnerable software
       in question, and
   2. the default FTP server that _is_ included in the installation is not
       vulnerable to this large pathname attack.



Regards,


Jordan Ritter
Network Security Engineer
Netect, Inc.  Boston, MA

"Quis custodiet ipsos custodes?"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.2 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE2xJPE+siuashk00ERArWIAJ4ppDvEFF9TAxyJMowBcjJGtiPmewCgiNzS
CDsX44Zpierz7f2f0BR81Bs=
=fxYQ
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: