Subject: Re: SECURITY: proftpd
From: Rich Lafferty (rich@alcor.concordia.ca)
Date: Fri Sep 17 1999 - 08:25:19 MDT
Quoting Dan Burcaw (dburcaw@terraplex.com) from Tue, Sep 14, 1999 at 09:32:22PM -0600:
> Hey all:
>
> The ProFTPD Development Group has found more potential problems in their
> ftp server software. These have all been fixed in the new 1.0.2pre6
> release. I've just updated our errata page and ftp site to include
> 1.0.2pre6 and removed the pre3 version that we previously announced as
> part of a security update.
It should be pointed out that there's been vulnerabilities discovered
in pre6 already, as well (within a few hours of release, no less). No
exploit yet, but one's sure to follow. The find-and-fix race has been
going on for over two weeks now.
For what it's worth, I've now given up on both wu- and proftpd and
have gone back to plain old openbsd-based ftpd; I'd recommend that
path to others as well, and those that want/need anonymous ftpd might
consider Dan Bernstein's anonftpd, available from
<ftp://koobera.math.uic.edu/www/anonftpd.html>
<ftp://koobera.math.uic.edu/www/software/anonftpd-0.96.shar.gz>
-Rich
-- ------------------------------ Rich Lafferty --------------------------- Sysadmin/Programmer, Information and Instructional Technology Services Concordia University, Montreal, QC (514) 848-7625 ------------------------- rich@alcor.concordia.ca ----------------------
This archive was generated by hypermail 2a24 : Fri Oct 01 1999 - 16:13:44 MDT