Slashdot Mirror


Wu-ftpd Remote Root Hole

Ademar writes: "A remote exploitable vulnerability was found in wu_ftp, which is distributed in all major distros. The CERT has a (private) list to coordinate this kind of disclosure so vendors can release updates together, but RH broke the schedule and released their advisory first. You can see the full advisory from securityfocus in bugtraq, but here is a quote: "This vulnerability was initially scheduled for public release on December 3, 2001. Red Hat pre-emptively released an advisory on November 27, 2001. As a result, other vendors may not yet have fixes available."" CNET has a story about this too.

1 of 515 comments (clear)

  1. Re:I've changed my mind by andrewski · · Score: 4, Flamebait

    The script kiddies probably knew about this long before CERT did. This is the major problem with private bug lists for vendors; It gives script kiddies a while to continue exploiting boxes while the vendors prepare patches. I would rather know right away, disable FTP, and do without for a few days, than wait until the bug was fixed before I am informed. Private lists, like all other forms of security by obscurity, are inherently ineffective.