On Wed, Apr 11, 2001 at 12:14:19PM +0200, Sebastian Krahmer wrote:
Yesterday http://www.cert.org/advisories/CA-2001-07.html was published with respect to a "glob" vulnerability in ftpd.
While the *BSD people already made some announcements, SuSE did not send out an announcement, yet. (Nothing popped up at wu-ftpd.org, too) Maybe because its especially a *BSD problem?
That may be true. For (understandable) reasons the description in the advisory is a bit vague, so even though I had a glance over the source I didn't know what to look for in detail.
Even we need time (> 0) to review code when it comes to CERT reports etc. As far as we are through it seems that
a) glibc is not affected by that glob() implementation fault and b) the port of the OBSD 2.7 ftpd we are using is not affected.
I don't know about the other ftpd's.
Other vendors are examining their code too, btw. Fast shots won't help.
I totally agree. Your statement however does already quite help in understanding what is going on. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153