Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 0 articles for you...
89
security advisoryfedoracriticalFedora 43 vsftpd Critical Update CVE-2025-14242 - FEDORA-2026-67442bdd84
Resolve CVE-2025-14242. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-67442bdd84 2026-01-23 00:54:29.972515+00:00 -------------------------------------------------------------------------------- Name : vsftpd Product : Fedora 43 Version : 3.0.5 Release : 14.fc43 URL : https://security.appspot.com/vsftpd.html Summary : Very Secure Ftp Daemon Description : vsftpd is a Very Secure FTP daemon. It was written completely from scratch. -------------------------------------------------------------------------------- Update Information: Resolve CVE-2025-14242 -------------------------------------------------------------------------------- ChangeLog: * Wed Jan 14 2026 Tomas Korbar - 3.0.5-14 - Resolve CVE-2025-14242 * Thu Dec 18 2025 Fedor Vorobev - 3.0.5-13 - Add a tmpfiles.d config. (image mode support) -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-67442bdd84' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Jan 23, 2026
•Critical
Fedora
89
security advisoryfedoraupdateFedora 32: FEDORA-2021-c90cb486f7 Medium: Dovecot IMAP Access Issue
fix rundir location ---- - dovecot updated to 2.3.13, pigeonhole to 0.5.13 - CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem information. - Metric filter and global event filter variable syntax changed to a SQL-like format. - auth: Added new aliases for %{variables}. Usage of the old ones is. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-c90cb486f7 2021-01-20 01:26:41.921779 --------------------------------------------------------------------------------Name : dovecot Product : Fedora 32 Version : 2.3.13 Release : 2.fc32 URL : https://dovecot.org/ Summary : Secure imap and pop3 server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are in their subpackages. --------------------------------------------------------------------------------Update Information: fix rundir location ---- - dovecot updated to 2.3.13, pigeonhole to 0.5.13 -CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem information. -Metric filter and global event filter variable syntax changed to a SQL-like format. - auth: Added new aliases for %{variables}. Usage of the old ones is possible, but discouraged. - auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth mechanism and related password schemes. - auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. - auth: Removed postfix postmap socket --------------------------------------------------------------------------------ChangeLog: * Thu Jan 7 2021 Michal Hlavinka - 1:2.3.13-2 - fix rundir location * Wed Jan 6 2021 Michal Hlavinka - 1:2.3.13-1 - fixrelease number * Mon Jan 4 2021 Michal Hlavinka - 1:2.3.13-0 - dovecot updated to 2.3.13, pigeonhole to 0.5.13 - CVE-2020-24386: Specially crafted command can cause IMAP hibernate to allow logged in user to access other people's emails and filesystem information. - Metric filter and global event filter variable syntax changed to a SQL-like format. - auth: Added new aliases for %{variables}. Usage of the old ones is possible, but discouraged. - auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth mechanism and related password schemes. - auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail. - auth: Removed postfix postmap socket * Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-7 - change run directory from /var/run to /run (#1777922) * Wed Oct 21 2020 Michal Hlavinka - 1:2.3.11.3-6 - use bigger default key size (#1882939) --------------------------------------------------------------------------------References: [ 1 ] Bug #1912455 - CVE-2020-24386 dovecot: IMAP hibernation function allows mail access https://bugzilla.redhat.com/show_bug.cgi?id=1912455 [ 2 ] Bug #1912460 - CVE-2020-25275 dovecot: Denial of service via mail MIME parsing https://bugzilla.redhat.com/show_bug.cgi?id=1912460 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-c90cb486f7' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jan 19, 2021
•Medium
Fedora
197
security advisorycritical issuedebianDebian Wheezy DLA-1309-1 Critical: curl FTP and LDAP Issues
Multiple vulnerabilities were found in cURL, an URL transfer library: CVE-2018-1000120 . Package : curl Version : 7.26.0-1+wheezy25 CVE ID : CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122 Multiple vulnerabilities were found in cURL, an URL transfer library: CVE-2018-1000120 Duy Phan Thanh reported that curl could be fooled into writing a zero byte out of bounds when curl was told to work on an FTP URL, with the setting to only issue a single CWD command. The issue could be triggered if the directory part of the URL contained a "%00" sequence. CVE-2018-1000121 Dario Weisser reported that curl might dereference a near-NULL address when getting an LDAP URL. A malicious server that sends a particularly crafted response could made crash applications that allowed LDAP URL relying on libcurl. CVE-2018-1000122 OSS-fuzz and Max Dymond found that curl can be tricked into copying data beyond the end of its heap based buffer when asked to transfer an RTSP URL. curl could calculate a wrong data length to copy from the read buffer. This could lead to information leakage or a denial of service. For Debian 7 "Wheezy", these problems have been fixed in version 7.26.0-1+wheezy25. We recommend that you upgrade your curl packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Several security flaws in cURL addressed through an update for Debian Wheezy. Users are advised to upgrade.. Curl Security Update, Debian Vulnerabilities, FTP URL Issues, LDAP Crash Risk, Information Leakage Fix. . Severity: Critical. LinuxSecurity.com Team
Mar 18, 2018
•Critical
Debian LTS
89
security advisoryfedorasoftware updateFedora 10 ProFTPD 1.3.1-8 Critical: CSRF Command Execution Fix
This update fixes a security issue where an attacker could conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands. It also fixes some SSL shutdown issues seen with certain clients.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2009-0089 2009-01-07 06:45:03 --------------------------------------------------------------------------------Name : proftpd Product : Fedora 10 Version : 1.3.1 Release : 8.fc10 URL : http://www.proftpd.org/ Summary : Flexible, stable and highly-configurable FTP server Description : ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This package defaults to the standalone behaviour of ProFTPD, but all the needed scripts to have it run by xinetd instead are included. --------------------------------------------------------------------------------Update Information: This update fixes a security issue where an attacker could conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands. It also fixes some SSL shutdown issues seen with certain clients. --------------------------------------------------------------------------------ChangeLog: * Fri Jan 2 2009 Matthias Saou 1.3.1-8 - Update default configuration to have a lit of available modules and more example configuration for them. - Include patches to fix TLS issues (#457280). * Fri Jan 2 2009 Matthias Saou 1.3.1-7 - Add Debian patch to fix CSRF vulnerability (#464127, upstream #3115). --------------------------------------------------------------------------------References: [ 1 ] Bug #464127 - CVE-2008-4242 proftpd CSRF attack https://bugzilla.redhat.com/show_bug.cgi?id=464127 --------------------------------------------------------------------------------This update can be installed with the "yum" update program. Use su -c 'yum update proftpd' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ Fedora-package-announce mailing list
Jan 07, 2009
•Critical
Fedora
89
security advisorybuffer overflowFedoraFedora Core 6: FEDORA-2007-503 Moderate: PHP Buffer Overflow Threat
This update fixes a number of security issues in PHP. A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. Note that this flaw does not affect PHP applications using the pure-PHP XML_RPC class provided in /usr/share/pear. . ---------------------------------------------------------------------Fedora Update Notification FEDORA-2007-503 2007-05-14 ---------------------------------------------------------------------Product : Fedora Core 6 Name : php Version : 5.1.6 Release : 3.6.fc6 Summary : The PHP HTML-embedded scripting language. (PHP: Hypertext Preprocessor) Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module which adds support for the PHP language to Apache HTTP Server. ---------------------------------------------------------------------Update Information: This update fixes a number of security issues in PHP. A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. Note that this flaw does not affect PHP applications using the pure-PHP XML_RPC class provided in /usr/share/pear. (CVE-2007-1864) A flaw was found in the PHP 'ftp' extension. If a PHP script used this extension to provide access to a private FTP server, and passed untrusted script input directly to any function provided by this extension, a remote attacker would be able to sendarbitrary FTP commands to the server. (CVE-2007-2509) A buffer overflow flaw was found in the PHP 'soap' extension, regarding the handling of an HTTP redirect response when using the SOAP client provided by this extension with an untrusted SOAP server. No mechanism to trigger this flaw remotely is known. (CVE-2007-2510) ---------------------------------------------------------------------* Wed May 9 2007 Joe Orton 5.1.6-3.6.fc6 - add security fixes for CVE-2007-1864, CVE-2007-2509, CVE-2007-2510 (#235016) - add README.FastCGI to -cli subpackage (#236555) ---------------------------------------------------------------------This update can be downloaded from: 025c738382f6f1ede22904ae13bd532bd1d4883a SRPMS/php-5.1.6-3.6.fc6.src.rpm 025c738382f6f1ede22904ae13bd532bd1d4883a noarch/php-5.1.6-3.6.fc6.src.rpm 6639a47dfd79e3953a4cc141b0c82ddc2b0714eb ppc/php-mysql-5.1.6-3.6.fc6.ppc.rpm 5daffc576883dfaa66e902b2a360175899b8f8c0 ppc/php-common-5.1.6-3.6.fc6.ppc.rpm 275cc10496aeb272100b89952268002e118a76b5 ppc/php-dba-5.1.6-3.6.fc6.ppc.rpm 0a47a09be3b0be8f693f807400d0a74ffa89c2a0 ppc/php-mbstring-5.1.6-3.6.fc6.ppc.rpm 7d62260422678e595c226e31d02f06bdb87a507f ppc/php-odbc-5.1.6-3.6.fc6.ppc.rpm 7906fabf744a8d9477aaa8dc3a6ca02eeb5c2ef6 ppc/php-xml-5.1.6-3.6.fc6.ppc.rpm 1ebc07839be9a2cdd04cedbdd927a295e674eee3 ppc/php-ldap-5.1.6-3.6.fc6.ppc.rpm aff32372a66f1b6cd24471df378ca16c10728f7a ppc/php-pdo-5.1.6-3.6.fc6.ppc.rpm 0dd91b0c21b9fa4fd0cb2f3b8cbb6c4fe96704a2 ppc/php-cli-5.1.6-3.6.fc6.ppc.rpm fa90930a9c67a3756acb2f7dfad43b0c75e5c37d ppc/php-bcmath-5.1.6-3.6.fc6.ppc.rpm 5d85b54f9c0c29b1afce18a3230161b3c749b7c3 ppc/php-xmlrpc-5.1.6-3.6.fc6.ppc.rpm e17cc525e2febe8aff7f00fd012c4552c9af2338 ppc/php-soap-5.1.6-3.6.fc6.ppc.rpm d2c3b18f00437f63220afcf3cddcccda79e43a92 ppc/php-ncurses-5.1.6-3.6.fc6.ppc.rpm 78bcd56e059cf23112c484ce0a7295cd9ce8c2df ppc/php-imap-5.1.6-3.6.fc6.ppc.rpm 83502b3ee4ec92d9071653713d53b574bd483673 ppc/php-pgsql-5.1.6-3.6.fc6.ppc.rpm b4486a2d7f429602bf62df9ae3be431ce4cf2993 ppc/php-gd-5.1.6-3.6.fc6.ppc.rpm ab27e14e22be9f60aa5a6c12d26764b6f5576b40 ppc/php-5.1.6-3.6.fc6.ppc.rpm 365b2eff5d76472fd8fc0377439516cbda9b2c0b ppc/debug/php-debuginfo-5.1.6-3.6.fc6.ppc.rpm 646ec0be7c5dbf36f3e98a5f71d88134d08f6a4f ppc/php-devel-5.1.6-3.6.fc6.ppc.rpm 000dfbe6c080ce0ca757e05b8384b1439da0bdf7 ppc/php-snmp-5.1.6-3.6.fc6.ppc.rpm 99fa48c00b8957848f0be19a740128287ad28a9a x86_64/php-mysql-5.1.6-3.6.fc6.x86_64.rpm e51d0f7620a3a077680637bff72151efbda7fc7d x86_64/php-pdo-5.1.6-3.6.fc6.x86_64.rpm 3d94b55e57d3884303090384319a2b2a6dbb87f5 x86_64/php-imap-5.1.6-3.6.fc6.x86_64.rpm eaa5dc9566c805672076f7ee99eda7527a2fa81d x86_64/php-devel-5.1.6-3.6.fc6.x86_64.rpm e868c68203474032791eef1ec60efc355c8a35dc x86_64/php-pgsql-5.1.6-3.6.fc6.x86_64.rpm 5ee65d504fbfe508bae88e1cd5d53ca2e861dc79 x86_64/php-odbc-5.1.6-3.6.fc6.x86_64.rpm 86b255e7ba2860728b36b02f519f70528c61ee67 x86_64/debug/php-debuginfo-5.1.6-3.6.fc6.x86_64.rpm 17956ed917566a550c31eb99e868f40cda2742b7 x86_64/php-gd-5.1.6-3.6.fc6.x86_64.rpm 79341e6bc0b70c2b2d417c5ba69589d521f8cc82 x86_64/php-soap-5.1.6-3.6.fc6.x86_64.rpm 05c0f6da52c9d79d716cccf62d5f0c32877119b9 x86_64/php-cli-5.1.6-3.6.fc6.x86_64.rpm b1968843b5906ee7c87db88cd5e5687dd0f6954c x86_64/php-dba-5.1.6-3.6.fc6.x86_64.rpm 5e067abee811e071f627d9e817defdf87d4fac24 x86_64/php-bcmath-5.1.6-3.6.fc6.x86_64.rpm c407ba010219e485ac08b1641b4fa3e670b2be86 x86_64/php-xmlrpc-5.1.6-3.6.fc6.x86_64.rpm 7d85318b2fc4bcc80f59292ddad5c84952c335a9 x86_64/php-ncurses-5.1.6-3.6.fc6.x86_64.rpm a195364ed05efdd090c630fe9c31b5512e60723b x86_64/php-snmp-5.1.6-3.6.fc6.x86_64.rpm 1b1b505ceed75bc1088eb543b976e4b741c06c53 x86_64/php-ldap-5.1.6-3.6.fc6.x86_64.rpm 0ae538a20ab854d6939d5c866ef461357b3ea429 x86_64/php-mbstring-5.1.6-3.6.fc6.x86_64.rpm dd98183718043e8954ea0caf5824874d9f565452 x86_64/php-common-5.1.6-3.6.fc6.x86_64.rpm db87c758dec5768839d24929666e3002ec402ed2 x86_64/php-5.1.6-3.6.fc6.x86_64.rpm d1bcdfdc4829dad5fbd5e368fd5e2c3f4bac924a x86_64/php-xml-5.1.6-3.6.fc6.x86_64.rpm 4221bd8ad5f9eeb919cbcab8610b683ccc267652 i386/php-imap-5.1.6-3.6.fc6.i386.rpm 28e43258ea27104ece07f406f150fe12b4cc5d25 i386/php-snmp-5.1.6-3.6.fc6.i386.rpm edc8329aebf6f3a21228d336b63e36310b2a3216 i386/php-common-5.1.6-3.6.fc6.i386.rpm 43cee34fd3796f235f7592e2e18fb58520c15a5d i386/php-xmlrpc-5.1.6-3.6.fc6.i386.rpm e7bef5c9d67f4dfafd4f546ac0c3da81a6310958 i386/php-xml-5.1.6-3.6.fc6.i386.rpm 3030d7c005509f9c26ad8904bc38ed0ea462204c i386/php-mysql-5.1.6-3.6.fc6.i386.rpm 6a70f36a5405691931fe47284055b32638b38025 i386/php-dba-5.1.6-3.6.fc6.i386.rpm f862dfd87d4c093973c84adc0c657e843c310889 i386/php-ncurses-5.1.6-3.6.fc6.i386.rpm 2de47b3f6ff2de50ce15d7906fc8295127305f1f i386/php-gd-5.1.6-3.6.fc6.i386.rpm 24739795c8f6f8711550e3596228eb4ffa8447b9 i386/php-devel-5.1.6-3.6.fc6.i386.rpm 32f0edfc011a12f43bf1f0e0f5c43a921df36a48 i386/php-5.1.6-3.6.fc6.i386.rpm 9e78d97bb36a1ad342b7e50fdff57350571e53a6 i386/php-mbstring-5.1.6-3.6.fc6.i386.rpm 95ee47c8ddd4e320a0271cd4036caf5befbefc1b i386/php-odbc-5.1.6-3.6.fc6.i386.rpm 96459f3dbc08507e742f7549d9c79ffd9f68802c i386/php-pgsql-5.1.6-3.6.fc6.i386.rpm b9b5b88f4e0f1f383152e92609d291a7f889362c i386/php-cli-5.1.6-3.6.fc6.i386.rpm 16d1d49c871f501c7ab94dea03abfb2a7b3a2d44 i386/php-bcmath-5.1.6-3.6.fc6.i386.rpm 4272095a7a88337ad1bd99f2fc513c9dea2fbc5a i386/php-pdo-5.1.6-3.6.fc6.i386.rpm fc84a09cd9fd46ea308b35f2c429d4b950f767c6 i386/debug/php-debuginfo-5.1.6-3.6.fc6.i386.rpm e89eff0339fb72a8a44f2aaa917739a3002d3c3b i386/php-ldap-5.1.6-3.6.fc6.i386.rpm 32770eea8b45127aab2bcb7d9941666622e35800 i386/php-soap-5.1.6-3.6.fc6.i386.rpm This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at. ---------------------------------------------------------------------_______________________________________________ Fedora-package-announce mailing list
May 14, 2007
Fedora
91
security advisorygentookdeGentoo: 200501-18 Normal: KDE FTP KIOslave Command Injection
The FTP KIOslave contains a bug allowing users to execute arbitrary FTP commands.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200501-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: KDE FTP KIOslave: Command injection Date: January 11, 2005 Bugs: #73759 ID: 200501-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= The FTP KIOslave contains a bug allowing users to execute arbitrary FTP commands. Background ========= KDE is a feature-rich graphical desktop environment for Linux and Unix-like Operating Systems. KDE provided KIOslaves for many protocols in the kdelibs package, one of them being FTP. These are used by KDE applications such as Konqueror. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 kde-base/kdelibs < 3.3.2-r2 > = 3.3.2-r2 *> = 3.2.3-r5 Description ========== The FTP KIOslave fails to properly parse URL-encoded newline characters. Impact ===== An attacker could exploit this to execute arbitrary FTP commands on the server and due to similiarities between the FTP and the SMTP protocol, this vulnerability also allows an attacker to connect to a SMTP server and issue arbitrary commands, for example sending an email. Workaround ========= There is no known workaround at this time. Resolution ========= All kdelibs users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose kde-base/kdelibs Note: There is currently nofixed stable 3.3.x version for sparc. References ========= [ 1 ] KDE Security Advisory: ftp kioslave command injection https://kde.org/info/security/advisory-20050101-1.txt [ 2 ] CAN-2004-1165 https://www.cve.org/CVERecord?id=CVE-CAN-2004-1165 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/200501-18 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to
Jan 11, 2005
Gentoo
98
security advisoryred hat linuxcriticalRed Hat Linux RHSA-2003:245-01 Critical wu-ftpd Remote Access Threat
An off-by-one bug has been discovered in versions of wu-ftpd up to andincluding 2.6.2.. - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated wu-ftpd packages fix remote vulnerability. Advisory ID: RHSA-2003:245-01 Issue date: 2003-07-31 Updated on: 2003-07-31 Product: Red Hat Linux Keywords: ftpd Cross references: Obsoletes: RHSA-2001:157 CVE Names: CAN-2003-0466 - --------------------------------------------------------------------- 1. Topic: Updated wu-ftpd packages are now available that fix a remotely exploitable security issue. 2. Relevant releases/architectures: Red Hat Linux 7.1 - i386 Red Hat Linux 7.1 for iSeries (64 bit) - ppc Red Hat Linux 7.1 for pSeries (64 bit) - ppc Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 3. Problem description: The wu-ftpd package contains the Washington University FTP (File Transfer Protocol) server daemon. FTP is a method of transferring files between computers on a network. An off-by-one bug has been discovered in versions of wu-ftpd up to and including 2.6.2. On a vulnerable system, a remote attacker would be able to exploit this bug to gain root privileges. Red Hat Linux 7.1 and 7.2 contain a version of wu-ftpd that is affected by this bug, although it is believed this issue will not be remotely exploitable due to compiler padding of the buffer targeted for the overflow. Red Hat Linux 7.3 and 8.0 contain a version of wu-ftpd that is remotely exploitable. Red Hat advises all users of wu-ftpd to upgrade to these erratum packages, which contain a security patch and is not vulnerable to this issue. Red Hat would like to thank Wojciech Purczynski and Janusz Niewiadomski of ISEC Security Research for their responsible disclosure of this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Toupdate all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 7.1: SRPMS: i386: Red Hat Linux 7.1 for iSeries (64 bit): SRPMS: ppc: Red Hat Linux 7.1 for pSeries (64 bit): SRPMS: ppc: Red Hat Linux 7.2: SRPMS: i386: ia64: Red Hat Linux 7.3: SRPMS: i386: Red Hat Linux 8.0: SRPMS: i386: 6. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- eaad5f7ffbf2399c13623da2c6ff4e83 7.1/en/os/SRPMS/wu-ftpd-2.6.2-11.71.1.src.rpm ecbd80d787844a3ab579e6058b0704c2 7.1/en/os/i386/wu-ftpd-2.6.2-11.71.1.i386.rpm eaad5f7ffbf2399c13623da2c6ff4e83 7.1/en/os/iSeries/SRPMS/wu-ftpd-2.6.2-11.71.1.src.rpm cf9324b0e936ffb3aa7a738f26108eb6 7.1/en/os/iSeries/ppc/wu-ftpd-2.6.2-11.71.1.ppc.rpm eaad5f7ffbf2399c13623da2c6ff4e83 7.1/en/os/pSeries/SRPMS/wu-ftpd-2.6.2-11.71.1.src.rpm cf9324b0e936ffb3aa7a738f26108eb6 7.1/en/os/pSeries/ppc/wu-ftpd-2.6.2-11.71.1.ppc.rpm 3f526a5e04806d71560c7357189c08fa 7.2/en/os/SRPMS/wu-ftpd-2.6.2-11.72.1.src.rpm 22ce902ae1255927825bec7a6cbd9a68 7.2/en/os/i386/wu-ftpd-2.6.2-11.72.1.i386.rpm 8587632893b8a74580b50cdf1a4923f6 7.2/en/os/ia64/wu-ftpd-2.6.2-11.72.1.ia64.rpm a25b0c5c9575cfa2e18578b8ec30e7ab 7.3/en/os/SRPMS/wu-ftpd-2.6.2-11.73.1.src.rpm 3c53df7e43666c6b1dfc6b9bbbe4da067.3/en/os/i386/wu-ftpd-2.6.2-11.73.1.i386.rpm dca07c4e90f308b49f8ac6b8d463536f 8.0/en/os/SRPMS/wu-ftpd-2.6.2-12.src.rpm d7b8fc5c0f9c0938dbddcea76f8e1e22 8.0/en/os/i386/wu-ftpd-2.6.2-12.i386.rpm These packages are GPG signed by Red Hat for security. Our key is available from Product Signing Keys - Red Hat Customer Portal You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: isec CVE -CVE-2003-0466 8. Contact: The Red Hat security contact is . More contact details at All Red Hat products Copyright 2003 Red Hat, Inc. . A significant flaw in the openssh suite for Debian Linux could lead to possible unauthorized entry. Take immediate action to patch and protect your environments.. Red Hat Linux, wu-ftpd update, critical patch, remote exploit fix, off-by-one issue. . Severity: Critical. LinuxSecurity.com Team
Aug 01, 2003
•Critical
Red Hat
98
security advisoryupdatered hatRed Hat Linux 7.0: RHSA-2001:157-06 Critical: wu-ftpd Buffer Overrun
Updated wu-ftpd packages are available to fix an overflowable buffer.. ` --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated wu-ftpd packages are available Advisory ID: RHSA-2001:157-06 Issue date: 2001-11-20 Updated on: 2001-11-26 Product: Red Hat Linux Keywords: wu-ftpd buffer overrun glob ftpglob Cross references: Obsoletes: RHSA-2000:039 --------------------------------------------------------------------- 1. Topic: Updated wu-ftpd packages are available to fix an overflowable buffer. 2. Relevant releases/architectures: Red Hat Linux 6.2 - alpha, i386, sparc Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - alpha, i386, ia64 Red Hat Linux 7.2 - i386 3. Problem description: An overflowable buffer exists in earlier versions of wu-ftpd. An attacker could gain access to the machine by sending malicious commands. It is recommended that all users of wu-ftpd upgrade to the lastest version. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed ( for more info): 6. RPMs required: Red Hat Linux 6.2: SRPMS: alpha: i386: sparc: Red Hat Linux 7.0: SRPMS: alpha: i386: Red Hat Linux 7.1: SRPMS: alpha: i386: ia64: Red Hat Linux 7.2: SRPMS: i386: 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- a33d4557c473b88cc7bed8718bd07a2f 6.2/en/os/SRPMS/wu-ftpd-2.6.1-0.6x.21.src.rpm da84b22853f1048d45803ebeec8d061c 6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm 281fa607c3f6479e369673cb9247d169 6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm 20bf731056d48351d2194956f4762091 6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm 52406d7ddd2c14c669a8c9203f99ac5c 7.0/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm 35315a5fa466beb3bdc26aa4fc1c872f 7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm c97683b85603d34853b3825c9b694f20 7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm 52406d7ddd2c14c669a8c9203f99ac5c 7.1/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm 35315a5fa466beb3bdc26aa4fc1c872f 7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm c97683b85603d34853b3825c9b694f20 7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm 56af9e1de2b3d532e1e4dce18636f6c4 7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm efd2a876ad8d7c4879d3eeaeeec7fcef 7.2/en/os/SRPMS/wu-ftpd-2.6.1-20.src.rpm 7306f24d3d7d518068c5e08959d43bdd 7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: About You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: Copyright(c) 2000, 2001 Red Hat, Inc. `. Recent Wu-FTPD patches for Red Hat Linux tackle serious buffer overflow issues. Users are highly encouraged to perform the upgrade.. wu-ftpd Update, Red Hat Advisory, Buffer Overflow Fix, System Security. . Severity: Critical. LinuxSecurity.com Team
Nov 27, 2001
•Critical
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!