Yet another wu-ftpd remote hole was reported (w/ intentionally broken
sploit) on BugTraq yesterday.
I couldn't check this further, but an attached patch (from Connectiva
Linux, similar stuff in Debian) might help.
Created attachment 698 [details]
security patch for the latest bug (HTH)
We're aware of it and have already built an updated package.
It'll be released as soon as the QA guys approve it, should be only a couple
The security patch included in the updated package fixes only the problems
with the *printf-style % format specifications (the known exploit of the
site exec bug). The patch submitted by firstname.lastname@example.org is different,
in that it deals with other potential buffer overrun problems related to
the site exec command. Would it not be a good idea to include both patches?