ProFTPD 1.2.0pre5

From: MacGyver (macgyverat_private)
Date: Wed Sep 08 1999 - 03:27:02 PDT

Next message: Mnemonix: "Not a Windows 2000 backdoor anymore"

Previous message: Georgi Guninski: "IE 5.0 security vulnerabilities - ImportExportFavorites - at"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just a quick note to folks -- I've released ProFTPD 1.2.0pre5.  This release
should *CORRECTLY* address the security issues pointed out earlier.  Some
release notes:

1) There's been a decent security review of the code.  I won't claim that
there are no holes, but we've gone through and addressed every potential
area we can think of.  To my knowledge, there are no unsafe buffer copies
taking place in pre5.  If you find any, please drop me a line or better yet,
a patch. :)  I've eliminated all use of nasty things like strcpy, sprintf,
and friends, which should help.

2) The patches that have been posted both to BUGTRAQ and the ProFTPD mailing
lists do **NOT** fix the security hole in ProFTPD.  You need to get ProFTPD
pre5 for that.  So let me repeat it again: THE PATCHES PREVIOUSLY RELEASED
BY OTHERS TO BUGTRAQ AND THE PROFTPD LISTS DO NOT WORK, AND IN AT LEAST TWO
CASES HAVE **CREATED** HOLES.  PLEASE OBTAIN PRE5 WHICH SHOULD ADDRESS THESE
ISSUES.

3) The CVS repository on proftpd.org is live again, for now anyway. :)  For
those who prefer CVS, you can grab the latest from the same place as always.

4) A couple of Y2K issues were discovered and corrected in ProFTPD.

5) I'd like to thank everyone who offered me the use of a FreeBSD system for
testing purposes.  I finally got around to installing a few more gig on my
drive, and through the lovely magic of VMWare (www.vmware.com), I got a VM
going with FreeBSD on it that I've been using for testing.  ProFTPD is known
to compile and run on FreeBSD 3.2 out of the box.

6) There's a new directive, by popular request: Bandwidth.  It allows you to
(obviously) limit the bandwidth of a given connection.

That's about it.  Enjoy.  One last note for Solaris, Linux, and FreeBSD
users at least:

ProFTPD's configuration will automagically probe to see if you have PAM, and
if you do, it *WILL* use it.  This is why Solaris people have reported
problems missing shadow support, I suspect.  THIS IS BY DESIGN.  PAM is an
inherently more flexible and standardized way to do authentication security,
and whenever possible, ProFTPD will try to use it.  It eliminates a lot of
ugly, problematic code, and makes it easy to support C2 and trusted systems
with PAM support.  I've tested PAM on Linux and FreeBSD.  I've got no access
to Solaris right now, sorry.  Please take a look at your system
documentation for more information about PAM, as well as the sample PAM
configuration file in the contrib directory.

For general ProFTPD questions/support, please email proftpdat_private

MacGyver.

Next message: Mnemonix: "Not a Windows 2000 backdoor anymore"
Previous message: Georgi Guninski: "IE 5.0 security vulnerabilities - ImportExportFavorites - at"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:54 PDT