-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject:		problems in wu-ftpd-2.5
Advisory number: 	CSSA-1999:028.0
Issue date: 		1999 September, 6
Cross reference:
______________________________________________________________________________


1. Problem Description

   This bug is present in both version 2.4 and version 2.5.
   An attacker can overflow a buffer by putting exploit data into
   a .message file.

   The attack always works locally, since an attacker can
   place a bogus .message file in her home directory, and
   connect to the FTP daemon with the regular user name and
   password.

   The attack can also be performed from remote, if you have
   configured your FTP daemon to allow uploads.

   Caldera wishes to thank Tymm Twillman <tymm@coe.missouri.edu>
   for his report and investigation of the problem.


2. Vulnerable Versions

   Systems : previous to COL 2.3
   Packages: previous to wu-ftpd-2.5-3 

3. Solutions

   The proper solution is to upgrade to the latest packages

	rpm -U wu-ftpd-2.5-3.i386.rpm
	
4. Location of Fixed Packages

   The upgrade packages can be found on Caldera's FTP site at:

   ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.3/current/RPMS/

   The corresponding source code package can be found at:

   ftp://ftp.calderaystems.com/pub/OpenLinux/updates/2.3/current/SRPMS/

5. Installing Fixed Packages

   Upgrade the affected packages with the following commands:

        rpm -U wu-ftpd-2.5-3.i386.rpm
        
6. Verification

   e99c4ea7941ff2d0b3c79a9304674f7b  RPMS/wu-ftpd-2.5.0-3.i386.rpm
   993ab4121cdba623c721297532f5e216  SRPMS/wu-ftpd-2.5.0-3.src.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/news/security/index.html

   This security fix closes Caldera's internal Problem Report 5121

8. Disclaimer
   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

______________________________________________________________________________


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBN9Pe3un+9R4958LpAQFdZAP/evxX/EYSyVvmAvUZJhYnScEEGKFwtSVS
TrO9xmPKcqVORj/V+TnpLDN7gmVAgBXT+RbASu6uLwnACKj0xE5pPwYm9Njc+TC5
GYFYVW8vrpWCS7aRxuJv6izmamWd7FyiWRrp0BKr+NZBsu3s7mhSqST4os2wbRNl
5S9LsPgIkE0=
=Hh+l
-----END PGP SIGNATURE-----