Re: FTP Question

Subject: Re: FTP Question
From: Darron Froese (darron@froese.org)
Date: Thu Aug 16 2001 - 20:45:55 MDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: spam_filter@linuxfreemail.com: "Re: yellowdog-general Digest 17 Aug 2001 01:54:18 -0000 Issue 498"
• Previous message: Brian Watson: "Re: FTP Question"
• In reply to: Brian Watson: "Re: FTP Question"
• Next in thread: Brian Watson: "Re: FTP Question"
• Reply: Darron Froese: "Re: FTP Question"

On 8/16/01 5:37 PM, "Brian Watson" <bcwatso1@uiuc.edu> wrote:

> I have version 1.2.0. The passive mode was enabled on the client,
> which was causing problems with uploading.

That's an indication of a broken server and is not to be blamed on the
client.

If it's the 1.2.0rc2 (note the rc2 - that's important) that *came* with YDL
2.0 then you're blaming the wrong thing. That rpm doesn't have any fixes
for:

1. Well known passive ftp problems that make it *broken* if you *ever* want
to use passive ftp.
2. Various security holes - there have been *several* security issues and
important fixes since 1.2.0rc2.

<http://www.proftpd.org/proftpd-l-archive/01-01/msg00354.html>
<http://www.proftpd.org/proftpd-l-archive/01-01/msg00577.html>
<http://www.proftpd.org/proftpd-l-archive/01-01/msg00662.html>
<http://www.cert.org/advisories/CA-2001-07.html>
<http://www.securityfocus.com/archive/1/169395>
<http://www.proftpd.org/proftpd-announce-archive/01-03/msg00002.html>

Also from this page:

<http://www.proftpd.net/security.html>

> All users of ProFTPD are strongly encouraged to upgrade to at least ProFTPD
> 1.2.0rc3 as soon as possible. There are several known exploits for prior
> versions of ProFTPD. If you are using an older version of ProFTPD you do so at
> your own risk, and without support. In short: you are asking for trouble, with
> a large neon sign, and full-page ads in all the world's newspapers if you
> aren't running 1.2.0rc3.

This page also details some of the many changes from 1.2.0rc2:

<http://www.proftpd.net/old_news.html>

Do yourself a favor and upgrade.

1.2.1 is the current release and can be used safely with the addition of
this directive to the configuration file:

DenyFilter \*.*/

<ftp://ftp.froese.org/rpms/ydl-2.0/proftpd/1.2.1/>

1.2.2rc3 is the current development release and seems to be pretty stable -
it has a more complete fix for some bugs and the globbing exploit:

<ftp://ftp.froese.org/rpms/ydl-2.0/proftpd/1.2.2rc3/>

-- 
Darron
darron@froese.org

• Next message: spam_filter@linuxfreemail.com: "Re: yellowdog-general Digest 17 Aug 2001 01:54:18 -0000 Issue 498"
• Previous message: Brian Watson: "Re: FTP Question"
• In reply to: Brian Watson: "Re: FTP Question"
• Next in thread: Brian Watson: "Re: FTP Question"
• Reply: Darron Froese: "Re: FTP Question"

This archive was generated by hypermail 2a24 : Thu Aug 16 2001 - 19:54:20 MDT