Subject: NetBSD Security Advisory 2000-010 (REVISED)
To: None <firstname.lastname@example.org>
From: None <email@example.com>
Date: 07/10/2000 19:16:12
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2000-010
Topic: wu-ftpd package vulnerability.
Version: All wu-ftpd versions prior to 2.6.1
Severity: High: Potential remote root access.
Note: The wu-ftpd package is not part of the base NetBSD distribution,
and is not installed by default. It is part of the NetBSD package
collection, which contains a large number of third-party applications
in ready-to-install format.
wu-ftpd versions prior to 2.6.1 contain known security holes
which may allow unauthorized remote users to gain root access.
See the CERT advisory CA-2000-13 and NetBSD-SA2000-009
Solutions and Workarounds
Versions of wu-ftpd older than version 2.6.1 are vulnerable. To find
out the version of wu-ftpd installed on your NetBSD system, you can use
# pkg_info -e wu-ftpd-\*
If wu-ftpd is not installed on your system, no output will be generated,
and your system is not vulnerable to this problem.
If you have a version older than 2.6.1, you should upgrade to a newer
version of wu-ftpd. A corrected version has been part of the NetBSD
packages collection since 8 July 2000.
If a vulnerable version of wu-ftpd is installed, then you should
immediately remove the vulnerability by deleting the package. As
# pkg_delete -v wu-ftpd-\*
If you continue to need wu-ftpd, you should install a new version of
There are precompiled binary packages of wu-ftpd for some NetBSD ports
If no precompiled binary is available for your platform, you can build
your own from source. First, make sure that you have a version of the
pkgsrc hierarchy from 8 July 2000 or later. (See
http://www.netbsd.org/Sites/net.html for ways to obtain NetBSD, and
pkgsrc, its packages collection.)
You can then install the new version of the package:
cd pkgsrc/net/wu-ftpd; make clean; make install
For more information on how to rebuild a package from source for your
architecture, see ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/README
20000708 Initial version.
20000710 Filled in pkgsrc hierarchy date.
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2000-010.txt,v 1.5 2000/07/10 23:11:06 sommerfeld Exp $
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----