Impact By exploiting any of these input validation problems, local or remote users logged into the ftp daemon may be able execute arbitrary code as root. An anonymous ftp user may also be able to execute arbitrary code as root. Original release date: July 7, 2000 Last revised: July 18, 2000 Source: CERT/CC Systems Affected Any system running wu-ftpd 2.6.0 or earlier Any system running ftpd derived from wu-ftpd 2.0 or later Some systems running ftpd derived from BSD ftpd 5.51 or BSD ftpd 5.60 (the final BSD release) Overview A vulnerability involving an input validation error in the "site exec" command has recently been identified in the Washington University ftpd (wu-ftpd) software package. Sites running affected systems are advised to update their wu-ftpd software as soon as possible. A similar but distinct vulnerability has also been identified that involves a missing format string in several setproctitle() calls. It affects a broader number of ftp daemons.
An update for 6.x was released some months ago.
(the update is 2.6.0-14.6x; it was released a couple of days before wu-ftpd 2.6.1 was released and has all the security fixes).