From owner-freebsd-security Tue May 22 18:21:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.islandnet.com (mail.islandnet.com [199.175.106.4]) by hub.freebsd.org (Postfix) with ESMTP id 6097237B424 for ; Tue, 22 May 2001 18:21:47 -0700 (PDT) (envelope-from rb@islandnet.com) Received: from [199.175.106.243] (helo=newwilly.islandnet.com) by mail.islandnet.com with SMTP id 152NLO-000I7g-00 for freebsd-security@freebsd.org; Tue, 22 May 2001 18:21:46 -0700 Content-Type: text/plain; charset="iso-8859-1" From: Ron Brogden Reply-To: rb@islandnet.com Organization: Islandnet.com To: freebsd-security@freebsd.org Subject: Re: Is there a ftp vuln in 4.3-STABLE Date: Tue, 22 May 2001 18:18:10 +0000 X-Mailer: KMail [version 1.2] References: <000501c0e316$7deb4450$45d8db40@mhx800> <0105221816290I.13659@newwilly.islandnet.com> In-Reply-To: <0105221816290I.13659@newwilly.islandnet.com> MIME-Version: 1.0 Message-Id: <0105221818100J.13659@newwilly.islandnet.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 22 May 2001 18:16, you wrote: > On Tuesday 22 May 2001 23:25, you wrote: > > There is an ftp vuln... I do not have any details on it sorry.. Some > > kinda overflow.. I would run proftpd Care to back this up with some data? From all I have seen on the issue, ProFTPD has suffered about as many showstoppers as WU-FTPD. I am not claiming that WU-FTPD is necessarily better, just that I see it as no worse and it is definitely not an immediate "solution" to security hassles. It is *not* like comparing IIS to Apache (since Apache suffers way less security problems in the codebase), more like comparing Netscape (Iplanet) to IIS. =) In the Bugtraq Archives there are 12 vulnerability postings for WU-FTPD and 8 for ProFTPD. Of the WU-FTPD ones, one is not actually in WU-FTPD and a couple more are ancient. Also, a bunch are really just the same issue from different vendors. Of the ProFTPD issues, there is a DOS as well as buffer overflows, format strings, etc. Nothing there suggests it has an even remotely better security record. I cringe when I see people suggest that ProFTPD is more secure because the facts do not bear it out and I fear it gives folks a false sense of security. IMHO of course. Cheers, Ron -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message