topic wu-ftp in Operating System - HP-UX

wu-ftp

Paul Tibbitts — Tue, 08 Mar 2005 17:44:01 GMT

I am working at a customer running wu-ftp compiled from source, 2.6.0. And running TCB on hp-ux 11.0.

Everything works just fine but there are vulnerabilities in wu-ftp that must be patched per audit requirements.

Problem: as far as I can tell, vulnerabilities exist in:

1. the latest version of wu-ftp (2.6.1) that I can download from hp, and besides it supposedly doesn't work (for anonymous ftp) with TCB enabled. The customer is (I think) using anonymous ftp.

2. the latest 2.6.2 build at the porting archive.

3. even the source code download from the www.wu-ftpd.org (but there is a patch to the source code available.) Building from source wouldn't be my first choice, but is (probably) possible.

I would have to do put some effort in figuring out what the config files are doing with "groups" if I switch to another ftpd, so I'd prefer not doing that.

Hopefully I'm missing some obvious easy fix, so... does anyone have a suggestion for the best - ok, make that easiest - solution to closing the wu-ftp vulnerabilties on these systems? I'm trying very hard not to break anything as this is a production environment, with very limited possibilities for experimentation once any changes are made. Thanks for any suggestions.

Paul

Re: wu-ftp

Steven E. Protter — Tue, 08 Mar 2005 22:25:16 GMT

Best to stick with the binaries.

The latest install from HP depots is a good idea.

Since I installed 2.6.1, three years ago, there were several security warnings. HP released binaries which I manually installed.

You need to check with the response center to make sure you have all the necessary fixes.

The ability to block root ftp was not in the 2.6.1 release. That was annoying and almost nailed me on an audit.

SEP

Re: wu-ftp

Paul Tibbitts — Thu, 10 Mar 2005 09:14:23 GMT

Thanks. It sounds like all the latest vulnerabilities are not fixed in the latest available binary from the response center.

Paul