Wu-ftpd Remote Root Hole

Ademar writes: "A remote exploitable vulnerability was found in wu_ftp, which is distributed in all major distros. The CERT has a (private) list to coordinate this kind of disclosure so vendors can release updates together, but RH broke the schedule and released their advisory first. You can see the full advisory from securityfocus in bugtraq, but here is a quote: "This vulnerability was initially scheduled for public release on December 3, 2001. Red Hat pre-emptively released an advisory on November 27, 2001. As a result, other vendors may not yet have fixes available."" CNET has a story about this too.

Nice.

Someone at RedHat's got their business thinking cap on.

Release a fix that no one else is able to yet and tell the world how to exploit the hole.

Crush the competition while they sleep.

Redhat

[gregRowe]

Is redhat becoming the MS of Linux distros? That isn't very cool of them to release early. I am sure they were under no obligation to wait but it certainly doesn't seem "polite".

Another globbing bug?

[Hiro+Antagonist]

AIRC, this type of exploit has been the bane of WuFTPD's existance; one of the reasons I switched to ProFTPD some time ago. Much better security history.

Besides; if you're running a public FTP and it's not in a chroot jail, you are a moron anyways.

Red Hat's motivations?

[code+addict]

The guys at Red Hat sure are jerks. I guess you can always depend on companies to look out for number 1 first, and screw everyone else whenever possible!

Re:I've changed my mind

[andrewski]

The script kiddies probably knew about this long before CERT did. This is the major problem with private bug lists for vendors; It gives script kiddies a while to continue exploiting boxes while the vendors prepare patches. I would rather know right away, disable FTP, and do without for a few days, than wait until the bug was fixed before I am informed. Private lists, like all other forms of security by obscurity, are inherently ineffective.