Re: SECURITY: proftpd


Subject: Re: SECURITY: proftpd
From: Rich Lafferty (rich@alcor.concordia.ca)
Date: Fri Sep 17 1999 - 08:25:19 MDT


Quoting Dan Burcaw (dburcaw@terraplex.com) from Tue, Sep 14, 1999 at 09:32:22PM -0600:
> Hey all:
>
> The ProFTPD Development Group has found more potential problems in their
> ftp server software. These have all been fixed in the new 1.0.2pre6
> release. I've just updated our errata page and ftp site to include
> 1.0.2pre6 and removed the pre3 version that we previously announced as
> part of a security update.

It should be pointed out that there's been vulnerabilities discovered
in pre6 already, as well (within a few hours of release, no less). No
exploit yet, but one's sure to follow. The find-and-fix race has been
going on for over two weeks now.

For what it's worth, I've now given up on both wu- and proftpd and
have gone back to plain old openbsd-based ftpd; I'd recommend that
path to others as well, and those that want/need anonymous ftpd might
consider Dan Bernstein's anonftpd, available from
 
 <ftp://koobera.math.uic.edu/www/anonftpd.html>
 <ftp://koobera.math.uic.edu/www/software/anonftpd-0.96.shar.gz>

    -Rich

-- 
------------------------------ Rich Lafferty ---------------------------
 Sysadmin/Programmer, Information and Instructional Technology Services
   Concordia University, Montreal, QC                 (514) 848-7625
------------------------- rich@alcor.concordia.ca ----------------------



This archive was generated by hypermail 2a24 : Fri Oct 01 1999 - 16:13:44 MDT