I hope to have either a statement we are not vulnerable or an upload in incoming by next dinstall run.
Note that krb5-ftpd is not in potato so this is just an FYI for those using unstable/testing. ------- Start of forwarded message ------- Date: Thu, 29 Nov 2001 16:05:59 -0600 From: Matt Crawford <[EMAIL PROTECTED]> Subject: glob vulnerability? To: [EMAIL PROTECTED] Message-id: <[EMAIL PROTECTED]> I suppose you're aware that yet another file globbing vulnerability has been found in wu-ftpd and exploits are out there. Looking over the patch at ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply-to-2.6.1/ftpglob.patch the ftpcmd.y part seems to have diverged greatly from MIT's gssftp, but glob.c seems to still be similar enough for it to be very likely the same vulnerability exists. And in fact if I connect, log in, and type "ls ~[", ftpd will segfault. Matt Crawford ------- End of forwarded message -------
