Posted on 11/28/2001 1:28:10 PM PST by Don Joe
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
Crudely put, but are you somehow intimating that this is an untrue statement? It isn't.
"(Tell that to the folks whose FTP servers were already compromised)."
Guess you didn't read the article, either. Besides...........just how many, in reality, do you think were compromised? Seriously, now. Let me hear your expert guess.........then I'll give you mine.
Lastly, you seem to be somehow, for some reason, "gloating" over this............as if Linux users/proponents hate Microsoft as a rule. That's utter, complete nonsense. However, since you brought it up, you don't EVEN want to get into the security breaches in Windows releases....................
/john
Now you're starting to sound like Osama bin Ladin. I'm sure he realizes that he won't be "missed" either.
Are you by chance related to the people who opened the "Target" stores? :)
You really shouldn't have said that. You make him "sound *so* uninformed right now."
And rightly so. But, server is a server regardless of how many processors it has. There are many more 4 processor linux servers out there doing real work than there are the big iron boxes. Each has it's place.
Bigger is not always better. Except when it comes to mean jar-heads covering my scrawny USAF hide. Semper Fi.
/john
Oh my God, yes they do.
We had a 64-processor engine like that in the lab when I worked at Xerox, and when we were experimenting with a PC-based Slackware Linux server that was only going to do a tiny little admin solution of bridging a Xerox DC2000 DocuCentre color laser printer to our dishwasher-sized Sun UltraSPARC, the Linux box choked and wheezed and gave up requiring a hard reboot at the power switch.
Just like the mythical knights of England who tried to pull Excalibur from the stone, every engineer on staff tried their hand at optimizing the Linux box (which was a pretty pimped-out PC for the time) but they all eventually gave up.
Eventually, we went back to the *original* bridge solution, which was an MS-DOS 6.22 PC on the exact same hardware. All the Linux box had to do was stream an unending river of code from one machine to the other, but only DOS did it without having a heart attack. DOS wasn't even using the maximum 32Mb of extended memory that emm386.exe could address!
Our lab's Linux advocate sulked for awhile after that, especially after a project manager referred to the Linux box a 'Nintendo Gameboy' in a weekly staff meeting.
The only reason we even tried the switch was because we were trying to satisfy one customer's demand that 'We don't trust DOS. It's too old. We want Linux.'
I think that Xerox uses a WinNT4 solution to do that job now, but I doubt even that was necessary.
Thanks...:)
He could always use that Linux server for a Tivo.
Use what works.
Huh? Wtf are you talking about? I said find the wuFTP package, not which one is most popular. Are you really that confused by Linux? You need to look at the leftside of your screen, not the right. Scroll down and on the left side of the screen look for the column titled: "Feature or package (data in brackets indicate the latest stable package". Go down that column and look for wuFTP included in any distro.
Btw, XP blows cuz it doesn't have memmaker.
When Cray went out of business, Sun and SGI got what was left. Was shortly thereafter Sun came out with the 10K. SGI has consistantly beat Sun in terms of raw computing power, but Sun has always shone through with good reliability and modularity.
But, like someone said above...whatever gets the job done. I don't believe in locking myself into one particular solution, so I try to always leave myself a migration path, if needed, to bigger stuff.
But, for a lot of jobs, Linux on a PC works good enough.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.