By exploiting any of these input validation problems, local or remote users
logged into the ftp daemon may be able execute arbitrary code as root. An
anonymous ftp user may also be able to execute arbitrary code as root.
Original release date: July 7, 2000
Last revised: July 18, 2000
Any system running wu-ftpd 2.6.0 or earlier
Any system running ftpd derived from wu-ftpd 2.0 or later
Some systems running ftpd derived from BSD ftpd 5.51 or BSD ftpd 5.60 (the
final BSD release)
A vulnerability involving an input validation error in the "site exec"
command has recently been identified in the Washington University ftpd
(wu-ftpd) software package. Sites running affected systems are advised to
update their wu-ftpd software as soon as possible.
A similar but distinct vulnerability has also been identified that involves
a missing format string in several setproctitle() calls. It affects a
broader number of ftp daemons.
An update for 6.x was released some months ago.
(the update is 2.6.0-14.6x; it was released a couple of days before wu-ftpd
2.6.1 was released and has all the security fixes).