Subject: remote root vulnerability in gssftp vs. NetBSD
To: None <,>
From: Bill Sommerfeld <>
List: tech-net
Date: 06/15/2000 08:59:56
Yesterday, Tom Yu of MIT posted an advisory to bugtraq reporting a
vulnerability in the MIT-distributed GSSAPI-secured FTP daemon
included in MIT's kerberos 5 distribution.

Based on examination of the NetBSD sources and the text of the
advisory, no version of NetBSD appears to be vulnerable.

The broken version appeared in krb5 version 1.1; according to the
advisory 1.0.x distributions do not have the bug.

1.4.x does not include kerberos 5; -current with crypto-us includes a
port of MIT's krb5-1.0.6 with some patches.

					- Bill