-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-010
                 =================================

Topic:		wu-ftpd package vulnerability.
Version:	All wu-ftpd versions prior to 2.6.1
Severity:	High: Potential remote root access.


Abstract
========

Note: The wu-ftpd package is not part of the base NetBSD distribution,
and is not installed by default.  It is part of the NetBSD package
collection, which contains a large number of third-party applications
in ready-to-install format.

wu-ftpd versions prior to 2.6.1 contain known security holes
which may allow unauthorized remote users to gain root access.

Technical Details
=================

See the CERT advisory CA-2000-13 and NetBSD-SA2000-009


Solutions and Workarounds
=========================

Versions of wu-ftpd older than version 2.6.1 are vulnerable.  To find
out the version of wu-ftpd installed on your NetBSD system, you can use
pkg_info(1):

	# pkg_info -e wu-ftpd-\*

If wu-ftpd is not installed on your system, no output will be generated,
and your system is not vulnerable to this problem.

If you have a version older than 2.6.1, you should upgrade to a newer
version of wu-ftpd.  A corrected version has been part of the NetBSD
packages collection since 8 July 2000.

If a vulnerable version of wu-ftpd is installed, then you should
immediately remove the vulnerability by deleting the package.  As
root, type:

	# pkg_delete -v wu-ftpd-\*

If you continue to need wu-ftpd, you should install a new version of
the package.

There are precompiled binary packages of wu-ftpd for some NetBSD ports
available from:

ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/net/wu-ftpd/README.html

If no precompiled binary is available for your platform, you can build
your own from source.  First, make sure that you have a version of the
pkgsrc hierarchy from 8 July 2000 or later.  (See
http://www.netbsd.org/Sites/net.html for ways to obtain NetBSD, and
pkgsrc, its packages collection.)

You can then install the new version of the package:

	cd pkgsrc/net/wu-ftpd; make clean; make install

For more information on how to rebuild a package from source for your
architecture, see ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/README

Revision History
================

	20000708	Initial version.
	20000710	Filled in pkgsrc hierarchy date.

More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-010.txt,v 1.5 2000/07/10 23:11:06 sommerfeld Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOWpYND5Ru2/4N2IFAQE/2gP/XMtr88vzrDyXlCrPMNXwMCwF1SCfejqz
I91LTy5k4ylPwJIgVO7+5guHXJrSgAMB0Qy6xq/L5rIdOgpxhfNgQhj7Cs3Cmt5c
tROHHNTb6teJ12l4kmxjuK+KUfyrYNPAvUqLbDS73fFQXSyEX5GJS3iqjGEii4ef
6+l3xQEiTog=
=GQEJ
-----END PGP SIGNATURE-----