Hi, (debian bug, Elliot) > Package: wu-ftpd > Version: 2.4-23 > > I don't know the exploit, but tar in the anon ftp area is the > same as the normal one, so I think Debian systems may have this > problem too. Two messages from the linux-security list (the > second one includes a patch for tar - only for anon ftp, not > for the normal one!) are attached below.
AFAIK it is along the line wit "site exec tar cvzf -rsh-command blafasel host:tar.tgz" Of course there should be no tar binary in the site exec directory, therefore I wonder where the problem ist... But I guess a strip down binary version of tar together with a striped down binary version of ls (both static) would be a nice idea to be included in wu-ftpd package. Greetings Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) [EMAIL PROTECTED],linux.de} http://home.pages.de/~eckes/ o--o *plush* 2048/A2C51749 [EMAIL PROTECTED] +4972573817 *plush* (O____O) If privacy is outlawed only Outlaws have privacy
