Unfortunately, 2.4 is known to have security problems (perhaps the folks at HP have addressed the issues in 2.4):
This text is from one of the wu-ftpd developers:
---------------------------------------------
Initial disclosure from NAI made reference to specific program functions
not present in WU-FTPD (the features are present, but we use different
program code). The problem, whether simply due to timing or otherwide,
appeared to be related to the recent issues with ProFTPD.
CERT was advised these issues appear to duplicate those raised in CA-99-13.
It was CERT's opinion that, while similar, these were different issues.
Furthermore, CERT tells me that NAI does not believe WU-FTPD is vulnerable
to these problems.
CERT did offer to add the statement that WU-FTPD is not believed to be
vulnerable to the problem, but that offer was made at 10PM Monday; only two
hours before the advisory was published. They obviously couldn't expect
that I'd see it (much less respond to it), before publication.
The best statement which can be made at this time is:
WU-FTPD version 2.6.1 is not believed to be vulnerable to the
issues raised in CA-2001-07. To the best of our knowledge, these
issues duplicate some of those in CA-99-13 and CA-2000-13 and users
are *STRONGLY* advised to upgrade to version 2.6.1 if they have not
already done so.
Without knowing what behavior the DoS made use of, I can only assume it is
the "wildcard globbing" issue which recently effected ProFTPD, and was the
cause of one of the issues raised in CA-99-13.
WU-FTPD 2.6.1 is NOT vulnerable to this type of DoS.
That's not to say you can not legitimately cause the server to DoS the host
.. create a directory with a few million files in it and you should be able
to stop things .. but that's not a WU-FTPD problem and there's probably
nothing we can do to fix or prevent it. It's the risk you take if you
allow write access (via any process or protocol).
The buffer overruns appear to be caused by old code based on BSD and/or
c-shell implementations of the glob function.
WU-FTPD 2.6.1 does NOT contain the vulnerable functions.
While, at one time, our function was based upon the glob functions from
BSD's ftpd, there have been so many changes over the years that our
function now bears little resemblance to anyone else's.
In addition, the published advisories disclose that the overrun is related
to expansion of tilde-user home directories.
WU-FTPD 2.6.1 is NOT vulnerable to a buffer overrun while
expanding tilde-user home directories.
Furthermore,
WU-FTPD 2.6.1 does not appear to be capable of any form of overrun
resulting from glob expansion.
I say this with less conviction simply because the code is complex, was
code-read for CA-2000-13, and I've only just taken a quick look at it to
assure myself that we do check bounds before copying and am not inclined to
pull another full audit without evidence there's something to be found.
----------------------------------------------
Unfortunately, 2.6.1 was release 7/2/00:
From
http://www.wu-ftpd.org/July 2, 2000 WU-FTPD 2.6.1 has been released
Unfortunately, I'm much more concerned with security than support; after all, if the box compromised and trashed, what good is the support?
The decisions on supported/non-supported issue have to do more with someone's comfort level, than fear that HP won't talk about a certain issue because the issues are "not supported". That's a trade-off we each have to reckon on our own.
Thanks for passing the message up the ladder. (P.S. I'm Christopher not Rick ;-) )
