From owner-freebsd-security Sun Jun 8 20:00:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA29878 for security-outgoing; Sun, 8 Jun 1997 20:00:05 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA29833 for ; Sun, 8 Jun 1997 19:59:58 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id WAA23765; Sun, 8 Jun 1997 22:56:06 -0400 (EDT) From: Adam Shostack Message-Id: <199706090256.WAA23765@homeport.org> Subject: Re: ftpd security weakness on FreeBSD (fwd) In-Reply-To: <3.0.32.19970608210325.009c66a0@mail.telcentral.net> from Mark Rollings at "Jun 8, 97 09:03:28 pm" To: darkstar@telcentral.net (Mark Rollings) Date: Sun, 8 Jun 1997 22:56:06 -0400 (EDT) Cc: dg@root.com, yossman@yoss.canweb.net, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Mark Rollings wrote: | Above any of the below mentioned deficiencies in the ftpd, CERT recently | released an advisory on the ftpd for practically all OS's. The replacement | mentioned below is not satisfactory in order to properly prevent attacks | covered in the advisory. wu-ftp-2.4.2-beta-13 is the correct ftpd to | compile for FreeBSD based machines. The advisory can be found in complete | form at CERT. www.cert.org. Could I suggest that the FTPd from logdaemon, which is small, feature poor, and probably more secure than WU-ftpd would be a more appropriate default? People who need the functionality of WU can install it, those that dont't get a smaller, more appropriate tool. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume