Date: Tue, 22 May 2001 18:18:10 +0000 From: Ron Brogden <rb@islandnet.com> To: freebsd-security@freebsd.org Subject: Re: Is there a ftp vuln in 4.3-STABLE Message-ID: <0105221818100J.13659@newwilly.islandnet.com> In-Reply-To: <0105221816290I.13659@newwilly.islandnet.com> References: <Pine.BSF.4.21.0105221226100.202-100000@portal.none.ua> <000501c0e316$7deb4450$45d8db40@mhx800> <0105221816290I.13659@newwilly.islandnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 22 May 2001 18:16, you wrote: > On Tuesday 22 May 2001 23:25, you wrote: > > There is an ftp vuln... I do not have any details on it sorry.. Some > > kinda overflow.. I would run proftpd Care to back this up with some data? From all I have seen on the issue, ProFTPD has suffered about as many showstoppers as WU-FTPD. I am not claiming that WU-FTPD is necessarily better, just that I see it as no worse and it is definitely not an immediate "solution" to security hassles. It is *not* like comparing IIS to Apache (since Apache suffers way less security problems in the codebase), more like comparing Netscape (Iplanet) to IIS. =) In the Bugtraq Archives there are 12 vulnerability postings for WU-FTPD and 8 for ProFTPD. Of the WU-FTPD ones, one is not actually in WU-FTPD and a couple more are ancient. Also, a bunch are really just the same issue from different vendors. Of the ProFTPD issues, there is a DOS as well as buffer overflows, format strings, etc. Nothing there suggests it has an even remotely better security record. I cringe when I see people suggest that ProFTPD is more secure because the facts do not bear it out and I fear it gives folks a false sense of security. IMHO of course. Cheers, Ron -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0105221818100J.13659>