-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject: 		Buffer overflow in ftp client
Advisory number: 	CSSA-1999:003.0
Issue date: 		1999 Feb 15
Cross reference: 	
______________________________________________________________________________


1. Problem Description

   There is a buffer overflow in the ftp client's handling of the server's
   response to a PASV command.   

   This lets a malicious ftp server crash and possible subvert a user
   connecting to it and trying to to download data using passive mode.

2. Vulnerable Versions

   Systems: 	OpenLinux 1.0, 1.1, 1.2, 1.3.
   Packages: 	< netkit-ftp-0.10-7.i386.rpm


3. Solutions

   As a workaround remove the netkit-ftp package and use the ncftp ftp client
   from the ncftp-2.4.2-1 package.

   The proper solution is to upgrade to the netkit-ftp-0.10-7 package. 


4. Location of Fixed Packages

   The upgrade packages can be found on Caldera's FTP site at:

   ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/current/RPMS/

   The corresponding source code package can be found at:

   ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/current/SRPMS


5. Installing Fixed Packages

   Upgrade the affected packages with the following commands:

   rpm -q netkit-ftp && rpm -U netkit-ftp-0.10-7.i386.rpm


6. Verification

   The MD5 checksums (from the "md5sum" command) for these packages are:

   9e3072d1d389cd59f1ab727cef4e2abd  RPMS/netkit-ftp-0.10-7.i386.rpm
   799b3c07a205a45f1e275665d49d5436  SRPMS/netkit-ftp-0.10-7.src.rpm


7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/news/security/index.html
  
   This security fix closes Caldera's internal Problem Report 4247.


8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.
______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNtv/H+n+9R4958LpAQFfNgQAnR2xkzOM4eIAaImJ15fns9DYYQWTFhqC
oKrryGnPS6i0kg+ae2xSB+EZjyk24+PbX/Pp6ju33DeIvQ8F1hqDltrbQkeMF8lA
lQbcadR31+mHHHFDidbPqUFnbb/XZW8ELXM8Eqr2R6pk3LCWb+sawRzyCAqfDeXM
5lbgC6yTj10=
=bnqA
-----END PGP SIGNATURE-----