Date: Mon, 2 Oct 2000 22:01:20 +0200 From: Neil Blakey-Milner <nbm@mithrandr.moria.org> To: Brett Glass <brett@lariat.org> Cc: Jordan Hubbard <jkh@winston.osd.bsdi.com>, security@FreeBSD.ORG Subject: Re: ftpd bug in FreeBSD through at least 3.4 Message-ID: <20001002220120.A59204@mithrandr.moria.org> In-Reply-To: <4.3.2.7.2.20001002133527.00d604a0@localhost>; from brett@lariat.org on Mon, Oct 02, 2000 at 01:43:33PM -0600 References: <Message <brett@lariat.org> <4.3.2.7.2.20001002113441.04932240@localhost> <59846.970514080@winston.osd.bsdi.com> <4.3.2.7.2.20001002133527.00d604a0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon 2000-10-02 (13:43), Brett Glass wrote: > At 01:14 PM 10/2/2000, Jordan Hubbard wrote: > > >That's the client crashing, you knob. Read the advisories more closely. > >What linux ftp clients do is not all that urgent a concern of ours. > > Jordan: > > Alas, there is still reason for concern. Here's why: > > 1) At least some FreeBSD clients are also crashing in the same way as the > Linux client described in that message. They're segfaulting, which means > they could be susceptible to attacks from malicious servers. You aren't keeping your machines up to date. This was fixed in RELENG_3 already: revision 1.14.2.3 date: 2000/06/23 14:46:54; author: ru; state: Exp; lines: +3 -3 MFC: (rev 1.17) Get rid of segfault in a `site %s\' case. > 2) There is still some funkiness in recent FreeBSD servers too. This is > evidenced by the fact that bad commands can generate responses which look > like a memory dump. They also mess up the output of ps(1). See my message > a few minutes ago to Alex, which shows problems in the server when I submit > bad commands using the MS-DOS/Windows client. I don't see this with a 3.3 or 3.4 ftpd. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001002220120.A59204>