From owner-doc-jp@jp.freebsd.org  Fri Sep 17 11:35:28 1999
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id LAA37011;
	Fri, 17 Sep 1999 11:35:28 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from TYO203.gate.nec.co.jp (TYO203.gate.nec.co.jp [202.32.8.211])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id LAA37006
	for <doc-jp@jp.FreeBSD.org>; Fri, 17 Sep 1999 11:35:27 +0900 (JST)
	(envelope-from y-koga@jp.FreeBSD.org)
Received: from mailsv.nec.co.jp ([192.168.1.90])
	by TYO203.gate.nec.co.jp (8.9.3/3.7W99090912) with ESMTP id LAA09672
	for <doc-jp@jp.FreeBSD.org>; Fri, 17 Sep 1999 11:35:26 +0900 (JST)
Received: from gw.ccs.mt.nec.co.jp (gw.ccs.mt.nec.co.jp [133.201.4.2]) by mailsv.nec.co.jp (8.9.3/3.7W-MAILSV-NEC) with ESMTP
	id LAA27697 for <doc-jp@jp.FreeBSD.org>; Fri, 17 Sep 1999 11:35:19 +0900 (JST)
Received: from mail.ccs.mt.nec.co.jp (mail.ccs.mt.nec.co.jp [133.201.3.22]) by gw.ccs.mt.nec.co.jp (8.9.1+3.1W/3.3W9-GW_CCS) with ESMTP id LAA24151 for <doc-jp@jp.FreeBSD.org>; Fri, 17 Sep 1999 11:16:40 +0900 (JST)
Received: from splpe481.ccs.mt.nec.co.jp (splpe481.ccs.mt.nec.co.jp [172.16.5.66])
	by mail.ccs.mt.nec.co.jp (8.9.1a/3.6W-CCS_Master) with ESMTP id LAA03769;
	Fri, 17 Sep 1999 11:16:39 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by splpe481.ccs.mt.nec.co.jp (8.9.3/3.7W-99071414) with ESMTP id LAA01971;
	Fri, 17 Sep 1999 11:16:39 +0900 (JST)
Message-Id: <199909170216.LAA01971@splpe481.ccs.mt.nec.co.jp>
To: doc-jp@jp.FreeBSD.org
In-Reply-To: <199909170120.KAA00853@kid.micon.co.jp>
References: <199909170120.KAA00853@kid.micon.co.jp>
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Fri, 17 Sep 1999 11:16:38 +0900 (JST)
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 990905(IM130)
Lines: 157
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 6672
Subject: [doc-jp 6672] Re: FreeBSD-SA-99:03.ftpd REISSUED
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: y-koga@jp.freebsd.org

Atushi Sakauchi <sakauchi@micon.co.jp>:
> =============================================================================
> FreeBSD-SA-99:03                                            Security Advisory
$B!D(B $B$5$/$C$HN,(B $B!D(B
> $B%b%8%e!<%k(B:           wu-ftpd and proftpd

and $B$OA02s!V$*$h$S!W$HLu$7$F$$$^$9$M!#(B

> $B9pCNF|(B:               1999-09-05
> $B:FH/9TF|(B:	      1999-09-15

$BF|IU$bLu$5$l$F$$$^$7$?!#(B

> $B=$@5:Q(B:               FreeBSD-3.3 RELEASE ($BLuCm(B: $BM=Dj(B)

FreeBSD 3.3-RELEASE

> 		      wuftpd $B$K$D$$$F$O(B 1999$BG/(B8$B7n(B30$BF|0J9_$N(B FreeBSD

wu-ftpd (ports $B$G$b(B wu-ftpd $B$J$N$K!"$J$s$GJQ$K=L$a$k$s$@$m$&!)!)!)(B)

> I.   $BGX7J(B
> 
> wuftpd, beroftpd and proftpd are all optional portions of the system
> designed to replace the stock ftpd on a FreeBSD system.  They are
> written and maintained by third parties and are included in the
> FreeBSD ports collection.
> 
> WU-FTPD, berofptd, ProFTPD $B$O(B, FreeBSD $B$NI8=`(B ftpd $B$rCV$-49$($k$?$a$N(B

BeroFTPD $B$,0lHLE*$G$9$M!#(B

> II.  $B2r@b(B
> 
> There are different security problems which can lead to remote root
> access in these ports or packages.
> 
> $B$3$l$i$N(B Ports $B%Q%C%1!<%8$K$O(B, $B%j%b!<%H$N%f!<%6$K(B root $B8"8B$rC%$o$l$k(B
> $B2DG=@-$,$"$k$H$$$&8DJL$N%;%-%e%j%F%#>e$N<eE@$,$"$j$^$9(B.

$B!V$3$l$i$N(B ports $B$"$k$$$O(B packages $B$K$O!D!W(B
$B!V<eE@!W$8$c$J$/$F!VLdBj!W(B
$B!V8DJL$N!W"*!V$=$l$>$lJL$N!W(B

> IV.  $BBP1~:v(B
> 
> Disable the ftp daemon until you can upgrade your system, or use the
> stock ftpd that comes with FreeBSD.
> 
> $B%"%C%W%0%l!<%I$,40N;$9$k$^$G(B ftp $B%G!<%b%s$rDd;_$9$k$+(B, 
> FreeBSD $BImB0$NI8=`(B ftpd $B$r;H$$$^$7$g$&(B.

$B4+9p$J$s$G!"!V;H$$$^$7$g$&!W$O$d$a$F!V;HMQ$9$k!W$/$i$$$K$9$k$H$$$$$+$J!#(B

> V. $B2r7h:v(B
> 
> Upgrade your wu-ftpd port to the version in the cvs repository after
> August 30, 1999.  If you are not using the wu-ftpd port, then you
> should visit their web site and follow instructions there to patch
> your existing version.
> 
> WU-FTPD $B$N(B Ports $B$r(B, 1999$BG/(B8$B7n(B30$BF|0J9_$N(B CVS $B%j%]%8%H%j$KBP1~$7$?(B
> $B%P!<%8%g%s$K%"%C%W%0%l!<%I$7$F$/$@$5$$(B. Ports $B$r;H$C$F$$$J$$>l9g$O(B,
> $B3+H/85$N(B Web$B%5%$%H$r;2>H$7!"%Q%C%A$rE,MQ$7$F$/$@$5$$(B.

$B!V;H$C$F$$$J$$!W"*!V;HMQ$7$F$$$J$$!W(B

> beroftpd, which was listed in the original wu-ftpd group's advisory as
> having a similar problem, has not been corrected as of September 15,
> 1999.  It will not be in the 3.3 release.  The port has been marked
> forbidden and will remain so until the security problems have been
> corrected.  If you are running beroftpd you are encouraged to find if
> patches are available for it which corrects these problems before
> enabling it on your system.
> 
> beroftpd $B$K$bF1MM$NLdBj$,$"$k$3$H$,!"(BWU-FTPD $B3+H/%0%k!<%W$K$h$C$F(B
> $B;XE&$5$l$F$$$^$9$,(B, 1999$BG/(B9$B7n(B15$BF|8=:_=$@5$5$l$F$$$^$;$s(B. 

$B!V(BBeroFTPD $B$K$bF1MM$NLdBj$,$"$k$3$H$,!"85$N(B WU-FTPD $B%0%k!<%W$N4+9p$N%j(B
$B%9%H$K:\$C$F$$$^$9$,!"!D!W(B

> $B$3$l$O(B 3.3 Release $B$K$O4^$^$l$^$;$s(B. Ports $B$O(B $B$9$G$K(B "$B5v2D$5$l$J$$(B"
> $B$H$5$l$F$*$j(B, $B%;%-%e%j%F%#>e$NLdBj$,2r7h$5$l$k$^$G2r=|$5$l$^$;$s(B.
> beroftpd $B$rAv$i$;$kA0$K(B, $B$3$NLdBj$KBP$9$k%Q%C%A$K$D$$$F3NG'$7$F2<$5$$(B.

$B!V(B3.3-RELEASE$B!W$+$J!#(B
$B!V4^$^$l$J$$M=Dj$G$9!W(B
$B0ULu$7$F!"!V%;%-%e%j%F%#>e$NLdBj$,2r7h$5$l$k$^$G!"(BBeroFTPD $B$r(B ports $B$K(B
$B:\$;$k$3$H$O6X;_$5$l$F$$$^$9!#!W(B

$B!tK\Ev$O0ULu$7$?$/$J$$$1$l$I!"Lu$72<$9$HM}M3$,<($5$l$J$$$N$G!#(B

> proftpd, which had different security problems, has not been updated
> to a safe version as of September 15, 1999.  It will not be in the 3.3
> release.  It will not be in the 3.3 release.  The port has been marked
> forbidden and will remain so until the security problems have been
> corrected.  If you are running proftpd, you are encouraged to find out
> if there are patches which correct these problems before reenabling it
> on your system.
> 
> ProFTPD $B$O(B $BJL$N%;%-%e%F%$%F%#>e$NLdBj$rJz$($F$$$F(B, 1999$BG/(B9$B7n(B15$BF|8=:_(B
> $B0BA4$J%P!<%8%g%s$OB8:_$7$^$;$s(B. $B$3$l$O(B 3.3 Release $B$K$O4^$^$l$^$;$s(B.
> Ports $B$O(B $B$9$G$K(B "$B5v2D$5$l$J$$(B"
> $B$H$5$l$F$*$j(B, $B%;%-%e%j%F%#>e$NLdBj$,2r7h$5$l$k$^$G2r=|$5$l$^$;$s(B.

BeroFTPD $B$HF1MM$N=q$-49$(!#(B

> ProFTPD $B$rAv$i$;$kA0$K(B, $B$3$NLdBj$KBP$9$k%Q%C%A$K$D$$$F3NG'$7$F2<$5$$(B.

$B!V(BProFTPD $B$r;HMQ$9$k>l9g!";HMQ$r:F3+$9$kA0$K!D!W(B

> The previous advisory suggested that any FreeBSD ports version of
> proftpd after August 30 had the security problems corrected.  This has
> proven to not be the case and was the primary reason for reissuing
> this advisory.  While reissuing the advisory, we added beroftpd since
> it shares a code history with wu-ftpd.  The original advisory
> mistakenly asserted that proftpd also shared a code history with
> wuftpd, which is not the case.
> 
> $BA02s$N4+9p$G$O(B ProFTPD $B$N(B 8$B7n(B30$BF|0J9_$N(B Ports $B$O0BA4$G$"$k$H(B
> $B$5$l$F$$$^$7$?(B. $B$3$l$O;v<B$G$O$J$$$3$H$,H=L@$7(B, $B:#2s$N:FH/9T$H$J$j$^$7(B
> $B$?(B. $B$^$?(B WU-FTPD $B$H%3!<%I$r6&M-$7$F$$$k(B beroftpd $B$K$D$$$FDI2C$7$^$7$?(B.

BeroFTPD
$B%3!<%I$r6&M-$7$F$$$k$H$$$&$o$1$G$O$J$/!"=P$I$3$m$H$$$&$+M3Mh$,(B WU-FTPD 
$B$HF1$8$J$N$G$9!#(B

> VI.  Credits and Pointers
> 
> The wu-ftpd advisory can be found at
> 	ftp://ftp.wu-ftpd.org/pub/wu-ftpd/2.5.0.Security.Update.asc
> 
> VI.  $B<U<-(B, $B;29M;qNA(B
> 
> WU-FTPD sdvisory $B$O(B $B0J2<$K$"$j$^$9(B.

$B!V(BWU-FTPD advisory $B$O0J2<$N(B URL $B$G;2>H$G$-$^$9!#!W$/$i$$$K$7$^$7$g$&!#(B
advisory $B$rLu$9$H$7$?$i!V4+9p!W!#(B

> =============================================================================
> FreeBSD, Inc.
> 
> Web Site:                       http://www.freebsd.org/
> Confidential contacts:          security-officer@freebsd.org
> Security notifications:         security-notifications@freebsd.org
> Security public discussion:     freebsd-security@freebsd.org
> PGP Key:                ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc
> 
> Notice: Any patches in this document may not apply cleanly due to
>         modifications caused by digital signature or mailer software.
>         Please reference the URL listed at the top of this document
>         for original copies of all patches if necessary.
> =============================================================================

$B$$$D$b$N$r$D$1$F$*$-$^$7$g$&!#(B
----
$B$3$,$h$&$$$A$m$&(B
