Date: Mon, 09 Jun 1997 08:57:26 -0700 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: Adam Shostack <adam@homeport.org> Cc: darkstar@telcentral.net (Mark Rollings), dg@root.com, yossman@yoss.canweb.net, security@FreeBSD.ORG Subject: Re: ftpd security weakness on FreeBSD (fwd) Message-ID: <199706091557.IAA10313@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Sun, 08 Jun 1997 22:56:06 EDT." <199706090256.WAA23765@homeport.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Mark Rollings wrote:
> | Above any of the below mentioned deficiencies in the ftpd, CERT recently
> | released an advisory on the ftpd for practically all OS's. The replacement
> | mentioned below is not satisfactory in order to properly prevent attacks
> | covered in the advisory. wu-ftp-2.4.2-beta-13 is the correct ftpd to
> | compile for FreeBSD based machines. The advisory can be found in complete
> | form at CERT. www.cert.org.
>
> Could I suggest that the FTPd from logdaemon, which is small,
> feature poor, and probably more secure than WU-ftpd would be a more
> appropriate default? People who need the functionality of WU can
> install it, those that dont't get a smaller, more appropriate tool.
Another good ftpd daemon is anonftpd. It only supports anonymous ftp and a
subset of features. Sites offering an anonymous ftp service could use the
anonftpd daemon for anonymous use while running the FreeBSD daemon (or
better yet the Kerberos V daemon) behind a TCP/Wrapper off another port.
> Adam
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
UNIX Support OV/VM: BCSC02(CSCHUBER)
ITSD BITNET: CSCHUBER@BCSC02.BITNET
Government of BC Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
Cy.Schubert@gems8.gov.bc.ca
"Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706091557.IAA10313>