From owner-freebsd-security Fri Sep 10 21:31:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 5490F14C27 for ; Fri, 10 Sep 1999 21:31:56 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA55441; Fri, 10 Sep 1999 22:31:55 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA12612; Fri, 10 Sep 1999 22:31:05 -0600 (MDT) Message-Id: <199909110431.WAA12612@harmony.village.org> To: Garrett Wollman Subject: Re: Concerning Latest FTPD exploit: FreeBSD Security Advisory: FreeBS D-SA-99:03.ftpd Cc: Michael Grommet , "'freebsd-security@freebsd.org'" In-reply-to: Your message of "Sat, 11 Sep 1999 00:28:18 EDT." <199909110428.AAA82809@khavrinen.lcs.mit.edu> References: <199909110428.AAA82809@khavrinen.lcs.mit.edu> <7011ACE3864AD31183E50008C7FA081F01D4C2@ISIMAIN> <199909110418.WAA12288@harmony.village.org> Date: Fri, 10 Sep 1999 22:31:05 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199909110428.AAA82809@khavrinen.lcs.mit.edu> Garrett Wollman writes: : You mis-read the question. /usr/libexec/ftpd is not vulnerable -- : wu-ftpd branched off the Berkeley main-line long before FreeBSD even : existed, and the problem `feature' was a wu-ftpd addition. I stand corrected. Sorry about that folks. Garrett is right. The stock ftpds on FreeBSD in 2.2.8R and 3.2R are both not impacted by these bugs. They only impact wuftpd, beroftpd (?) and proftpd. I may reissue the ftpd avisory since more security holes in proftpd have come to light and I've had several questions asked about the ftpd advisory that I thought were obvious, but turned out to be hard to get from the text I sent out. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message