Lars Thorelius wrote:
> I have just been tipped by my son (who studies networking)
> that someone in his class has "seen" my e-smith through FTP
> as Root with full priviliges! This worries me, of course, and
> the culprit won´t say how, of course. I have my e-smith 4.01
> set up as a public FTP-server, but with no external Telnet
> rights.
We take security very seriously at e-smith. If anyone every has any security concerns they should immediately send details to security@e-smith.com - and if you don't remember that, to bugs@e-smith.com.
Do *NOT* post security concerns in a public forum.
> I searched the net for some clues to this, and found the
> following article:
...
****************************
> Security experts warn of major FTP server flaw
> 14:55 Monday 26 June 2000
> By BARRY PARK
> INTERNET security experts have warned of a serious flaw in
> FTP server software that can allow hackers to take control of
> the server.
Please see the first news article on
http://www.e-smith.com to see why this does not apply to you or your server.
Regards
Charlie
> Connectiva Linux Security issued an advisory today warning
> wu-ftpd users of a buffer overflow that can be remotely
> exploited, giving hackers root privileges on the system.
>
> The problem affects all wu-ftpd package versions up to and
> including version 2.6.0, the advisory says.
>
> The company has provided a patch at
www.conectiva.com.br.
> ***********************************************************************************************
>
> Is this something that applies to the e-smith server? Should
> I switch of the FTP rights (I really have a lot of use for it)?
>
> I would appreciate an initiated answer.
>
> Regards
> Lars