Note: This is an archival copy of Security Sun Alert 201704 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001257.1. |
Category Security Release Phase Resolved 4899303 Date of Resolved Release 29-AUG-2003 Impact A security vulnerbility exists in the WU-FTPD version 2.6.2 (and earlier) FTP server daemon, as currently shipped with Sun Linux 5.0 (as version 2.6.1-20), which may allow a remote or local unprivileged user to gain unauthorized root access. For more information on this issue, see the following: Red Hat Advisory RHSA-2003:245-15 located at: CVE CAN-2003-0466 located at: iSEC Advisory isec-0011-wu-ftpd located at: In addition, please see Sun Alert 56121 for Solaris.
Contributing Factors This issue can occur in the following releases: Sun Linux
Note: The WU-FTPD FTP server is disabled by default. The WU-FTPD FTP server version can be determined by running the following command: # rpm -q wu-ftpd wu-ftpd-2.6.1-20 Symptoms There are no predictable symptoms that would indicate the above described issues have been exploited. Workaround Until patches can be applied, sites that have enabled the WU-FTPD "ftpd" daemon process, may wish to disable it by doing the following: 1. Edit the "/etc/xinetd.d/wu-ftpd" file and change the line "disable = no" to "disable = yes". 2. Make "xinetd" read the new configuration files by executing the following command: # kill -HUP `pgrep xinetd` Resolution This issue is addressed in the following releases: Sun Linux
Sun Linux patches are available at: Modification History Date: 29-AUG-2003
Product Sun Linux 5.0 Attachments This solution has no attachment |
|