SECURITY VULNERABILITY DISCOVERED!
A vulnerability has been found in the current versions of WU-FTPD up to 2.6.2. Information describing the vulnerability is available from
Please apply the realpath.patch patch to WU-FTPD 2.6.2.
- Ciac bulletin n-132
- CVE can-2003-0466
- Redhat errata RHSA-2003-245 with updated packages
This fixes an off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD. It may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.
Additionally, applying the connect-dos.patch is advised for all systems.
This patch fixes a possible denial of service attack on systems that allow only one non-connected socket bound to the same local address.
Additionally, applying the skeychallenge.patch is advised strongly for systems using S/Key logins.
This patch fixes a stack overflow in the S/Key login handling.
The current version of WU-FTPD is 2.6.2 and is available from ftp.wu-ftpd.org. If you are running an earlier version, please update your copy. You might want to take a look at what has changed.
Before downloading, please check the list of wu-ftpd world-wide mirrors for a site in your region.
Additional information about WU-FTPD is available online:
- Man pages
- Example configuration files
- HOWTO guides
- Resource Center
- Mailing List Archive
- WU-FTPD License
- FTP and related RFCs
There are a number of mailing lists for support questions or other discussions concerning WU-FTPD.
Archived WU-FTPD Group Announcements
This site currently being re-done, so come back occasionally.
Last updated: Tue Feb 18 06:24:29 CST 2003