Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jan 2003 19:14:08 +0200
From:      Maxim Sobolev <sobomax@portaone.com>
To:        "Crist J. Clark" <cjc@FreeBSD.org>
Cc:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/libexec/ftpd ftpd.c
Message-ID:  <3E2D7FE0.A89831BC@portaone.com>
References:  <200301210513.h0L5D2DB061636@repoman.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
"Crist J. Clark" wrote:
> 
> cjc         2003/01/20 21:13:02 PST
> 
>   Modified files:
>     libexec/ftpd         ftpd.c
>   Log:
>   The FTP daemon was vulnerable to a DoS where an attacker could bind()
>   up port 20 for an extended period of time and thus lock out all other
>   users from establishing PORT data connections. Don't hold on to the
>   bind() while we loop around waiting to see if we can make our
>   connection.
> 
>   Being a DoS, it has security implications, giving it a short MFC
>   time.

Huh? What DoS and security implications you are talking about? Without
having root, an user will be unable to bind on port 20 anyway, and
this is default behaviour of FreeBSD. Therefore, I don't tnink that a
short MFC timeframe and subsequent merging into security branches are
really justified.

-Maxim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2D7FE0.A89831BC>