Re: proftpd bug or not?

To: debian-devel@lists.debian.org
Subject: Re: proftpd bug or not?
From: Noah Meyerhans <noahm@debian.org>
Date: Fri, 29 Mar 2002 15:49:10 -0500
Message-id: <[🔎] 20020329154910.A6902@morgul.net>
Mail-followup-to: Noah Meyerhans <noahm@debian.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20020328130111.GA14149@fishbowl.madduck.net>; from madduck@madduck.net on Thu, Mar 28, 2002 at 02:01:12PM +0100
References: <[🔎] 20020327140046.24a09386.stratus@alternex.com.br> <[🔎] slrnaa5kjo.8tg.lintux@roy.gaast.net> <[🔎] 20020328130111.GA14149@fishbowl.madduck.net>

On Thu, Mar 28, 2002 at 02:01:12PM +0100, martin f krafft wrote:
> 
> that's not true. the config file contains no such regex. the problem
> is in fact fixed.

No, it is in fact not fixed.  We are still vulnerable.  I have confirmed
this myself with the proftpd packages from security.debian.org.

The proftpd maintainer created an unofficial security fix package which
inserted a rule into proftpd.conf denying the regex that caused the DoS
problem.  That unofficial package, or conceivably the package from woody
or sid, is the only safe proftpd package available for Debian.

If you don't believe me, try it...

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html

Attachment: pgpdJI3N2q3LR.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: proftpd bug or not?
  - From: martin f krafft <madduck@madduck.net>

References:
- proftpd bug or not?
  - From: Gustavo Franco <stratus@alternex.com.br>
- Re: proftpd bug or not?
  - From: Wilmer van der Gaast <lintux@bigfoot.com>
- Re: proftpd bug or not?
  - From: martin f krafft <madduck@madduck.net>

Prev by Date: Re: Debian's problems, Debian's future
Next by Date: Re: Looking for sponsor (FWD from debian-devel)
Previous by thread: Re: proftpd bug or not?
Next by thread: Re: proftpd bug or not?
Index(es):
- Date
- Thread