> Thu, Nov 29, 2001 at 12:35:13PM +1100, John Griffiths wrote: > At 05:22 PM 11/28/01 -0800, Greg Wiley wrote:
> >http://www.securityfocus.com/archive/1/242750 > >Debian 2.2 is on the list. > > Does this effect wu-ftpd's that don't allow anonymous access? > > i.e. if only user's can log on, and I trust my users, can > I stop stressing about it until the fixed version is available? The way I understand it is that it has to do with file globbing so in order to exploit, an attacker would have to log in. So if anon is off and none of your users are baddies, maybe you're ok (al- though an unauthorized person might somehow know a legitimate authpair). -=greg
