The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.

While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.

The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.

The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.

The group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the vulnerability in mid-November. On Tuesday, however, while the companies were working together on a fix, Red Hat mistakenly released a security advisory to its own customers, almost a week early.

Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.

Since Mandrake Linux 8.0--the current version is 8.1--the company has used a different FTP program, ProFTP, so Damen was unsure how many Mandrake users would be affected by the flaw.

The company has completed its own patch for Mandrake Linux but still has to test it more fully, said Damen, who expected it to be ready on Monday. "Red Hat didn't do anyone any favors with this."

On Wednesday, both SuSE, whose current distribution doesn't use wu-FTP as a default, and Caldera released advisories and patches.

For its part, Red Hat apologized for the problem.

"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.

"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."