by mail.netbsd.org with SMTP; 15 Jun 2000 12:59:58 -0000
	by orchard.arlington.ma.us (8.8.8/1.34) with ESMTP id MAA14802;
	Thu, 15 Jun 2000 12:59:57 GMT
Message-Id: <200006151259.MAA14802@orchard.arlington.ma.us>
To: tech-security@netbsd.org, tech-net@netbsd.org
cc: security-officer@netbsd.org
Subject: remote root vulnerability in gssftp vs. NetBSD
Reply-to: sommerfeld@orchard.arlington.ma.us
Date: Thu, 15 Jun 2000 08:59:56 -0400
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>

Yesterday, Tom Yu of MIT posted an advisory to bugtraq reporting a
vulnerability in the MIT-distributed GSSAPI-secured FTP daemon
included in MIT's kerberos 5 distribution.

Based on examination of the NetBSD sources and the text of the
advisory, no version of NetBSD appears to be vulnerable.

The broken version appeared in krb5 version 1.1; according to the
advisory 1.0.x distributions do not have the bug.

1.4.x does not include kerberos 5; -current with crypto-us includes a
port of MIT's krb5-1.0.6 with some patches.

					- Bill