From owner-freebsd-security  Tue Nov 20  7:42:28 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cc415903-b.ebnsk1.nj.home.com (cc415903-b.ebnsk1.nj.home.com [24.180.16.158])
	by hub.freebsd.org (Postfix) with SMTP id 2FDA037B405
	for <security@FreeBSD.ORG>; Tue, 20 Nov 2001 07:42:22 -0800 (PST)
Received: (qmail 35300 invoked from network); 20 Nov 2001 15:45:35 -0000
Received: from athena.faerunhome.com (HELO athena.home.com) (192.168.0.2)
  by cc415903-b.ebnsk1.nj.home.com with SMTP; 20 Nov 2001 15:45:35 -0000
Message-Id: <5.1.0.14.2.20011120104126.02698ec0@netmail.home.com>
X-Sender: damascus@netmail.home.com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Tue, 20 Nov 2001 10:43:42 -0500
To: Mike Tancsa <mike@sentex.net>
From: Carroll Kong <damascus@home.com>
Subject: Re: Fwd: Vendors For WU-FTPD Please Read
Cc: Mitch Collinsworth <mitch@collinsworth.info>,
	security@FreeBSD.ORG
In-Reply-To: <5.1.0.14.0.20011120095853.038e9280@marble.sentex.ca>
References: <Pine.LNX.4.10.10111200951270.988-100000@ruby.ccmr.cornell. edu>
 <5.1.0.14.0.20011120093740.038e2580@marble.sentex.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 10:10 AM 11/20/01 -0500, Mike Tancsa wrote:
>At 09:55 AM 11/20/01 -0500, Mitch Collinsworth wrote:
>
>>On Tue, 20 Nov 2001, Mike Tancsa wrote:
>>
>> > It too seems to be vulnerable to various security holes in the recent and
>> > not so recent past :-(
>>
>>Name one thing that hasn't been.  The real issue, IMO, is not
>>having never had a security bug, but how quickly bugs are fixed
>>and how easy it is to apply the fixes.
>
>qmail ?  Anyways, I am not looking at either bugs or zero bugs-- just less 
>bugs.  The stock ftpd that comes with FreeBSD has not had many holes for 
>example.  For the boxes I help look after, there is a real cost every time 
>we need to upgrade the software, not to mention the risk exposure while 
>the hole is left unpatched.  x bugs a year vs x+y is a measurable 
>difference for us.  For larger networks this becomes even more acute of course.
>
>         ---Mike
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message

I have noticed that ncftpd seems to be a pretty solid ftpd in terms of a 
good security track record.  Unfortunately, it costs a little bit for 
licensing.  The stock ftpd with FreeBSD is indeed very good.

Finally, I agree with Mike.  When you start managing more and more boxes, 
it becomes a serious pain in the butt.  You have to worry so much more 
(which is part of the job, but still), about sendmail or bind or wu-ftpd 
blowing up.  It is nicer if you can get something that has a few less bugs 
to minimize this.



-Carroll Kong


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message