Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wu-ftpd Remote Root Hole

Posted by michael on from the taking-anonymous-access-a-little-too-literally dept.

Ademar writes: "A remote exploitable vulnerability was found in wu_ftp, which is distributed in all major distros. The CERT has a (private) list to coordinate this kind of disclosure so vendors can release updates together, but RH broke the schedule and released their advisory first. You can see the full advisory from securityfocus in bugtraq, but here is a quote: "This vulnerability was initially scheduled for public release on December 3, 2001. Red Hat pre-emptively released an advisory on November 27, 2001. As a result, other vendors may not yet have fixes available."" CNET has a story about this too.

4 of 515 comments (clear)

  1. I've changed my mind by child_of_mercy · · Score: 5, Interesting

    Would have been nice to give the maintainers on a few other distro's time to close the hole before broadcasting this to the script kiddies

    Until 5 mins ago I was a beleiver in complete disclosure,

    But with 6 wu-ftpd boxes to admin I'm not so sure any more.

    Hope I see a fix today.

    --
    'There is a Light that never goes out.'
  2. CERT and private lists by SClitheroe · · Score: 5, Interesting

    You all bashed Microsoft the last time around for not immediately and publicly notifying users of an exploit, they, prefering instead to ready a fix before the exploit was common knowledge.

    So, once again use an occasion such as this to resoundingly denounce the fact the CERT, and major Linux distros other than Red Hat, have chosen to do the essentially same.

    I suspect that the complaints of this type of behavior will be much less in the case of CERT, since Microsoft's disclosure policies simply allow slashdotters to take pot shots at MS, but we'll see...The shoe's on the other foot this time.

  3. Re:Nice. by dlek · · Score: 5, Interesting
    According to the CNET article, Red Hat did this by mistake, and they apologized.

    I'm somewhat surprised--but either way it brings the unresolved question of disclosure bubbling to the froth again.

  4. Re:Another globbing bug? by LS · · Score: 5, Interesting

    Ok, so what level of security on someone's box makes them no longer a moron? Is there a canonical list of things I must do to secure a box so that I am no longer a moron? To be honest, I run my own box for personal use, and learning anything more than basic security takes more time than it's worth. Please let me know where I can go to learn what it takes to build a secure box as defined by non-moron security experts.

    LS

    --
    There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie