Posted on 11/28/2001 1:28:10 PM PST by Don Joe
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
Huh?
WTF do you plan on doing with a 16 bit memory manager on a native 32 bit OS?
Or were you just trolling?
Not to the idiots that chase the latest fad. You know the type, they screw up the MBR on your dad's MS box, get their Novell certification so they can get fired for deleting files they thought didn't matter, then got their MSCS mail-order from Liberia, got laid off in the last downturn and now have System Admin on their business cards. The ones that think they know unix because they recently did a Caldera install, but don't know the difference between /etc/services and /etc/inetd.conf. Snerk!
/john
Since no one else has answered this.. a "distribution" is a particular entity's (RH, Mdk, Suse, Corel (well, nevermind them)) Linux "Package"... contains the kernel source and binaries, tools and daemons, X-windows stuff (usually Gnome and KDE), initialization scripts, and usually some configuration tools specifically written by the company for that distribution.
Roughly equivalent to a "Release" in your world.
Btw, I run XP Pro along with my Linuxes and like it. I've got an MCP in 2000 but see Linux is the future. To me it looks like the mid-80s and what MS was doing with DOS vs. the proprietary IBM/DEC/Wang business systems and the personal boxes of Amiga, Commodore, Apple, Tandy, etc. Only now Linux is offering the winning formula of a cheaper, easy-to-license, easy-to-develop, cross-platform OS with broad hardware compatability. Imo whomever offers that can undercut any OS in time.
SunOS is pretty buggy, but Sun is ok with the patches. The small servers are power pigs too, compared to x86 solutions running linux. They have good hardware reliability, and die predictably. They have great, but pricy (if out of warranty), service for broke stuff. The Sun warranty system is better at keeping records than most admins. Read them the S/N, and they will tell you the day your PO hit, and whether warranty still covers it. Sun is ok, but the best I ever got out of a server was 565 days uptime. Course, we had to unplug the server to move it. GRIN!
/john
Look either you have a brain or you don't. You appear to be in the later category. When you can code, give me a call, I'll give you a $30k a year job to produce flawless code.
---max
I can produce code that compiles without error, first time, every time. Unless you make me take out the comment delimiter.
/john
Yet another moron heard from. In the open source world, as soon as someone discovers a security flaw, it is announced. Unlike the Microshaft world where someone gets shafted, then 3 weeks later the security flaw is announced.
If you or anyone else can exploit my Linux server, I'll pay you $1000 American, but then again you probably can't find the "any" key.
Only in America do people think that they are an expert because they are entitled to an opinion.
---max
All coders start somewhere. Can you say "Data Division"?.
---max
Nope, I'm not that advanced. I can say "Accidental Fork Bomb" though.
Recursion makes me dizzy. I could never be a real programmer.
/john
Evidently you did not trouble yourself to read the article at the top of this thread before weighing in on it.
BTW, you seem to have inadvertently reversed the order of the two sentences quoted above. HTH, etc.
You don't enjoy writing tiny bits of code that do things an entire human brain can't do?
/john
That's not what the article says:
This is funny. This is nothing more than competition between the various flavors of Linux. The WU-FTP issue was solved at our job months ago, and it is a very simple fix as well.
Any IS/IT teams at that run Linux servers who do not already know about this "problem" is asleep at the wheel, and isn't worth salt.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.