[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: proftpd bug or not?



On Thu, Mar 28, 2002 at 02:01:12PM +0100, martin f krafft wrote:
> 
> that's not true. the config file contains no such regex. the problem
> is in fact fixed.

No, it is in fact not fixed.  We are still vulnerable.  I have confirmed
this myself with the proftpd packages from security.debian.org.

The proftpd maintainer created an unofficial security fix package which
inserted a rule into proftpd.conf denying the regex that caused the DoS
problem.  That unofficial package, or conceivably the package from woody
or sid, is the only safe proftpd package available for Debian.

If you don't believe me, try it...

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgp2CrD3Hh3wB.pgp
Description: PGP signature


Reply to: