Note: This is an archival copy of Security Sun Alert 201704 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001257.1.
Date of Resolved Release
A security vulnerbility exists in the WU-FTPD version 2.6.2 (and earlier) FTP server daemon, as currently shipped with Sun Linux 5.0 (as version 2.6.1-20), which may allow a remote or local unprivileged user to gain unauthorized root access.
For more information on this issue, see the following:
Red Hat Advisory RHSA-2003:245-15 located at:
CVE CAN-2003-0466 located at:
iSEC Advisory isec-0011-wu-ftpd located at:
In addition, please see Sun Alert 56121 for Solaris.
This issue can occur in the following releases:
Note: The WU-FTPD FTP server is disabled by default.
The WU-FTPD FTP server version can be determined by running the following command:
# rpm -q wu-ftpd wu-ftpd-2.6.1-20
There are no predictable symptoms that would indicate the above described issues have been exploited.
Until patches can be applied, sites that have enabled the WU-FTPD "ftpd" daemon process, may wish to disable it by doing the following:
1. Edit the "/etc/xinetd.d/wu-ftpd" file and change the line "disable = no" to "disable = yes".
2. Make "xinetd" read the new configuration files by executing the following command:
# kill -HUP `pgrep xinetd`
This issue is addressed in the following releases:
Sun Linux patches are available at:
Sun Linux 5.0
This solution has no attachment