From: Chris Myers Message-Id: <199304082025.AA10577@wugate.wustl.edu> Subject: IMPORTANT: New wuarchive ftpd server w/critical security fix released To: wu-ftpd-users@wugate.wustl.edu Date: Thu, 8 Apr 93 15:25:46 CDT Dear System Administrator: A survey of all of the sites listed in the Anonymous FTP Site list posted to comp.misc, news.answers, ... shows that you might be running the "wuarchive" ftp server. If so, please read the attached notice regarding a new release of the server -- a critically important security hole has been fixed in this release. Chris Myers Internet: chris@wugate.wustl.edu Software Engineer UUCP: ...!uunet!wuarchive!chris Office of the Network Coordinator BITNET: chris@wunet.bitnet Washington University in Saint Louis Phone: +1 314 935 7390 - --- CUT HERE --- The Washington University Office of the Network Coordinator is pleased to announce the release of a new version of the wuarchive FTP server. This server includes many security enhancements and new features, and a fix for a very serious security problem (only brought to our attention today) -- if you are running any version of our ftp server released before April 8, 1993, you should upgrade IMMEDIATELY (we mean today, not next week!). This release includes full documentation for installation and configuration, and is also very easy to compile and install. See wu-ftpd-2.0/INSTALL, wu-ftpd-2.0/NOTES and wu-ftpd-2.0/doc/README for more information on how to install and operate this ftp server. The server may be retrieved via anonymous FTP from wuarchive.wustl.edu in the directory /packages/wuarchive-ftpd. There are two distribution formats, a tar file and a shar file. Fetch one of the files, and use the appropriate method to extract it -- the individual files will be stored in a new subdirectory called "wu-ftpd-2.0". The way the "guestgroup" command functions has changed; if you are using guestgroups, please read the documentation and make the appropriate configuration changes before installing the new ftp server. ADDITIONS AND BUG-FIXES IN RELEASE 2 0. Fixed a really serious security problem that would allow access to real accounts, including root (on poorly configured systems), without giving a valid password. 1. ftpcount no longer displays multiple listings for classes that have multiple "class ..." lines. 2. Added following abilites configurable in the ftpaccess file. see ftpaccess(5). chmod delete overwrite umask upload passwd_check {} alias path_filter { ...} 3. The conversion table has been moved to a separate file. The fields are: %s:%s:%s:%s:%s:%s:%s:%s Field Description 1 strip prefix 2 strip postfix 3 addon prefix 4 addon postfix 5 external command 6 types 7 options 8 description 4. ftpshut program generates shutdown file for ftp server. Works similarly to shutdown(8). See ftpshut(8). 5. guestgroup access no longer needs an entry in the secondary passwd file (~ftp/etc/passwd). The home directory is now specified as "root/./home" For example: ftptest::100:200:Guest User:/var/ftp/./incoming:/etc/noshell When ftptest logs in, it will chroot to /var/ftp and then chdir to /incoming (which is actually /var/ftp/incoming before the chroot). Since the directory in /etc/passwd actually points to the guest's home directory, they can use .forward files, etc. Chris Myers Internet: chris@wugate.wustl.edu Software Engineer UUCP: ...!uunet!wuarchive!chris Office of the Network Coordinator BITNET: chris@wunet.bitnet Washington University in Saint Louis Phone: +1 314 935 7390 Bryan D. O'Connor Internet: bryan@fegmania.wustl.edu Software Engineer, wuarchive development UUCP: ...!uunet!wuarchive!bryan Office of the Network Coordinator BITNET: bryan@wunet.bitnet Washington University in Saint Louis Phone: +1 314 935 7048