Subject: NetBSD Security Advisory 2000-010 (REVISED)
To: None <>
From: None <>
List: netbsd-announce
Date: 07/10/2000 19:16:12

                 NetBSD Security Advisory 2000-010

Topic:		wu-ftpd package vulnerability.
Version:	All wu-ftpd versions prior to 2.6.1
Severity:	High: Potential remote root access.


Note: The wu-ftpd package is not part of the base NetBSD distribution,
and is not installed by default.  It is part of the NetBSD package
collection, which contains a large number of third-party applications
in ready-to-install format.

wu-ftpd versions prior to 2.6.1 contain known security holes
which may allow unauthorized remote users to gain root access.

Technical Details

See the CERT advisory CA-2000-13 and NetBSD-SA2000-009

Solutions and Workarounds

Versions of wu-ftpd older than version 2.6.1 are vulnerable.  To find
out the version of wu-ftpd installed on your NetBSD system, you can use

	# pkg_info -e wu-ftpd-\*

If wu-ftpd is not installed on your system, no output will be generated,
and your system is not vulnerable to this problem.

If you have a version older than 2.6.1, you should upgrade to a newer
version of wu-ftpd.  A corrected version has been part of the NetBSD
packages collection since 8 July 2000.

If a vulnerable version of wu-ftpd is installed, then you should
immediately remove the vulnerability by deleting the package.  As
root, type:

	# pkg_delete -v wu-ftpd-\*

If you continue to need wu-ftpd, you should install a new version of
the package.

There are precompiled binary packages of wu-ftpd for some NetBSD ports
available from:

If no precompiled binary is available for your platform, you can build
your own from source.  First, make sure that you have a version of the
pkgsrc hierarchy from 8 July 2000 or later.  (See for ways to obtain NetBSD, and
pkgsrc, its packages collection.)

You can then install the new version of the package:

	cd pkgsrc/net/wu-ftpd; make clean; make install

For more information on how to rebuild a package from source for your
architecture, see

Revision History

	20000708	Initial version.
	20000710	Filled in pkgsrc hierarchy date.

More Information

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-010.txt,v 1.5 2000/07/10 23:11:06 sommerfeld Exp $

Version: 2.6.2