2001 WU-FTPD News:
November 30, 2001 CERT has issued an advisory concerning two issues with WU-FTPD. November 30, 2001 Version 2.6.2 released. Download it from the distribution site or one of the world-wide mirrors. November 29, 2001 The WU-FTPD Development Group has been made aware by Security Focus of a vulnerability in WU-FTPD which could lead to a root compromise when exploited. We have verified the existence of this vulnerability in version 2.6.1 which is the currently shipping version of wu-ftpd and a 2.7.0 version shipped by Redhat as 2.6.1-16.
The WU-FTPD Development Group has released a patch against version 2.6.1. This patch is available at ftp://ftp.wu-ftpd.org/pub/wu-ftpd-attic/wu-ftpd-2.6.1-patches/ftpglob.patch.
Additional patches to version 2.6.1 are available in the same directory. Those running earlier versions are advised to update to version 2.6.1 and apply all supplied patches.
A new version with all these patches applied will be made available shortly as version 2.6.2. To avoid confusion, we will skip the 2.7.0 version number.
The WU-FTPD Development Group has been made aware that some vendors are shipping vulnerable pre-release, development versions of WU-FTPD software bearing, at least internally, version 2.7.0. All users are advised to verify the version claimed on the initial greeting upon connection to the software (you may need to remove your greeting clause from the WU-FTPD configuration to allow the version information to be displayed). If this greeting claims version 2.7.0 or earlier, they are advised to DOWNGRADE IMMEDIATELY to version 2.6.1 and apply all supplied patches. To avoid confusion, the WU-FTPD Development Group WILL NOT release version 2.7.0; instead their next version will be numbered 2.8.0. (Users participating the field trials of the development version are advised to verify their CVS snapshot, and, if dated on or before July 1, 2001, either upgrade to the current snapshot or downgrade to a patched version 2.6.1.)
September 21, 2001 A Trojan Horse exploit was posted to the Vuln-Dev mailing list. The posting falsly claims to be from security consultant Carolyn Meinel and claims to provide a remote exploit gaining root access to servers running WU-FTPD Version 2.6.1. In fact, the exploit will delete all files and directories on your home directory. Those with copies of the Trojan Horse are advised delete it without attempting to compile and run the program. A news article about the Trojan Horse may be read at Newsbytes. January 24, 2001 News about a new exploit for wu-ftpd is making the rounds without much explanation of the exact problem. The temporary file race condition can occur in the privatepw utility, not in the running daemon. So there is no externally exploitable situation.
2000 WU-FTPD News:
July 7, 2000 CERT has issued an advisory concerning WU-FTPD and all ftp daemons derived from BSD's final release. July 2, 2000 WU-FTPD 2.6.1 has been released. Download it from the attic. June 26, 2000 AUSCERT Advisory AA-2000.02 recommends upgrading to 2.6.0 and applying the patch. June 22, 2000 A new exploit for wu-ftpd was published. We are working on a new release that fixes this and some other problems. Some Linux vendors (redhat and debian) have already released their patches. source patch is available in the patches directory for release 2.6.0.
1999 WU-FTPD News:
October 19, 1999 CERT Advisory CA-99-13 recommends all users update to version 2.6.0. This advisory covers all security issues uncovered since the release of version 2.5.0, including the August 26 Security Update. October 19, 1999 AUSCERT Advisory AA-1999.02 recommends all users update to version 2.6.0. October 18, 1999 Version 2.6.0 Released To see what has changed, read the complete change history of WU-FTPD. August 27, 1999 AUSCERT Advisory AA-1999.01 recommends all users update to version 2.5.0 and apply the patches recommended in the August 26 Security Update. August 26, 1999 Security Update for Version 2.5.0 May 25, 1999 Version 2.5.0 Released April 1, 1999 WU-FTPD Development Group Formed