From owner-freebsd-security  Mon Jun  9 08:59:01 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA28675
          for security-outgoing; Mon, 9 Jun 1997 08:59:01 -0700 (PDT)
Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA28665
          for <security@FreeBSD.ORG>; Mon, 9 Jun 1997 08:58:46 -0700 (PDT)
Received: from localhost (cschuber@localhost) by passer.osg.gov.bc.ca (8.8.5/8.6.10) with SMTP id IAA10313; Mon, 9 Jun 1997 08:57:27 -0700 (PDT)
Message-Id: <199706091557.IAA10313@passer.osg.gov.bc.ca>
X-Authentication-Warning: passer.osg.gov.bc.ca: cschuber@localhost didn't use HELO protocol
Reply-to: cschuber@uumail.gov.bc.ca
X-Mailer: MH
X-Sender: cschuber
To: Adam Shostack <adam@homeport.org>
cc: darkstar@telcentral.net (Mark Rollings), dg@root.com,
        yossman@yoss.canweb.net, security@FreeBSD.ORG
Subject: Re: ftpd security weakness on FreeBSD (fwd) 
In-reply-to: Your message of "Sun, 08 Jun 1997 22:56:06 EDT."
             <199706090256.WAA23765@homeport.org> 
Date: Mon, 09 Jun 1997 08:57:26 -0700
From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> Mark Rollings wrote:
> | Above any of the below mentioned deficiencies in the ftpd, CERT recently
> | released an advisory on the ftpd for practically all OS's.  The replacement
> | mentioned below is not satisfactory in order to properly prevent attacks
> | covered in the advisory.  wu-ftp-2.4.2-beta-13 is the correct ftpd to
> | compile for FreeBSD based machines.  The advisory can be found in complete
> | form at CERT.   www.cert.org.
> 
> 	Could I suggest that the FTPd from logdaemon, which is small,
> feature poor, and probably more secure than WU-ftpd would be a more
> appropriate default?  People who need the functionality of WU can
> install it, those that dont't get a smaller, more appropriate tool.

Another good ftpd daemon is anonftpd.  It only supports anonymous ftp and a
subset of features.  Sites offering an anonymous ftp service could use the
anonftpd daemon for anonymous use while running the FreeBSD daemon (or
better yet the Kerberos V daemon) behind a TCP/Wrapper off another port.

> Adam

Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
Government of BC            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca
                                       Cy.Schubert@gems8.gov.bc.ca

		"Quit spooling around, JES do it."