Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wu-ftpd Remote Root Hole

Posted by michael on Wednesday November 28, 2001 @12:54PM from the taking-anonymous-access-a-little-too-literally dept.

Ademar writes: "A remote exploitable vulnerability was found in wu_ftp, which is distributed in all major distros. The CERT has a (private) list to coordinate this kind of disclosure so vendors can release updates together, but RH broke the schedule and released their advisory first. You can see the full advisory from securityfocus in bugtraq, but here is a quote: "This vulnerability was initially scheduled for public release on December 3, 2001. Red Hat pre-emptively released an advisory on November 27, 2001. As a result, other vendors may not yet have fixes available."" CNET has a story about this too.

2 of 515 comments (clear)

Min score:

Reason:

Sort:

So what's wrong with that? by shoemakc · 2001-11-28 13:05 · Score: 1, Redundant

Further hipocracy on slashdot....

./ blasts MS whenever they try to keep a known exploit quiet for whatever reason, but then goes ahead and blasts Redhat for spilling the beans.

I thought the whole point of OS was so that you can make changes/fixes yourself? I'd rather go a week without a distro patch, then not know about the exploit at all. At least then i can disable the daemon, or impliment a kludge fix.

-Chris

--
--an unbreakable toy is useful for breaking other toys--
Re:No surprises here by augustz · 2001-11-28 13:32 · Score: 2, Redundant

Couldn't agree more, the distros need to stop shipping software with horrendous security records.

wu-ftpd/bind/sendmail literally give me the shudders. There are solid competitors for all of these. Greater or equal features, and designs that are much more secure.