Mandrake: wu-ftpd update
Posted by Team   
Mandrake Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC implementation.

   Linux-Mandrake Security Update


Date: July, 2nd 2000

Package name: wu-ftpd

Affected versions: 6.0 6.1 7.0 7.1

Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC
implementation. Because of user input going directly into a format
string for a *printf function, it is possible to overwrite important
data, such as a return address, on the stack. When this is
accomplished, the function can jump into shellcode pointed to by the
overwritten eip and execute arbitrary commands as root. While
exploited in a manner similar to a buffer overflow, it is actually an
input validation problem. Anonymous ftp is exploitable making it even
more serious as attacks can come anonymously from anywhere on the

Please upgrade to:

md5 sum: b4340d1007f5128d5d80502007c11a17

md5 sum: bb37dbaf5f9fc3953c2869592df608c9
src: 6.0/SRPMS/wu-ftpd-2.6.0-7mdk.src.rpm

md5 sum: 89467e25e432271892aea433b613b4f7

md5 sum: bb37dbaf5f9fc3953c2869592df608c9
src: 6.1/SRPMS/wu-ftpd-2.6.0-7mdk.src.rpm

md5 sum: 7e240d30b2e8cba1ba0c3dc59908aef7

md5 sum: bb37dbaf5f9fc3953c2869592df608c9
src: 7.0/SRPMS/wu-ftpd-2.6.0-7mdk.src.rpm

md5 sum: 2b83dcb120012f1009e707398b5f4dc4

md5 sum: bb37dbaf5f9fc3953c2869592df608c9
src: 7.1/SRPMS/wu-ftpd-2.6.0-7mdk.src.rpm

To upgrade automatically, use « MandrakeUpdate ». If you want to
upgrade manually, download the updated package from one of our FTP
server mirrors and uprade with "rpm -Uvh package_name". All mirrors
are listed on Updated packages are
available in the "updates/" directory.

For example, if you are looking for an updated RPM package for
Mandrake 7.1, look for it in: updates/7.1/RPMS/

- We give the md5 sum for each package. It lets you check the
integrity of the downloaded package by running the md5sum command on
the package ("md5sum package.rpm").
- You generally do not need to download the source package with a
.src.rpm suffix