Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)

[kenn () BLUETREE IE (Kenn Humborg)]

On Sat, Jul 01, 2000 at 08:36:45AM +0200, Bernhard Rosenkraenzer wrote:
> On Thu, 29 Jun 2000, Kenn Humborg wrote:
>
> > The latest wu-ftpd RPM for Red Hat 4.2 is also vulnerable.  I notified
> > Red Hat about this on Saturday last, but no word from them yet.
>
> Who did you talk to? I never got a message, and I'm maintaining our
> wu-ftpd package.

As per http://www.redhat.com/feedback.html, I emailed security () redhat com.

> We're aware of the fact that 4.2 (and 3.x for that matter) are affected,
> but we're no longer supporting versions prior to 5.2.

Well, then, somebody better tell that to whoever maintains the main errata
page at http://www.redhat.com/support/errata/index.html.

And can I also ask that you _continue_ to maintain RH4.2 (for security
only, if necessary) as it was your last libc5 release.  I'd say drop
5.2 before dropping 4.2, as an upgrade from 5.2 to 6.2 would be nowhere
neare as traumatic as from 4.2 to 6.2.

> If you absolutely
> need to continue using it, get the source RPM from 5.x and rebuild it.

That's what I did.

Later,
Kenn