Re: ProFTPD still vulnerable (Sarge)
- To: email@example.com
- Subject: Re: ProFTPD still vulnerable (Sarge)
- From: "Francesco P. Lovergine" <firstname.lastname@example.org>
- Date: Thu, 7 Dec 2006 10:26:54 +0100
- Message-id: <20061207092654.GA3600@mithrandir>
- Mail-followup-to: email@example.com
- In-reply-to: <1165458094.18025.1.camel@localhost>
- References: <20061130062853.GM17888@lupe-christoph.de> <20061130141010.GA24916@mithrandir> <1164907690.12020.2.camel@localhost> <1165458094.18025.1.camel@localhost>
On Wed, Dec 06, 2006 at 09:21:34PM -0500, Jim Popovitch wrote:
> On Thu, 2006-11-30 at 12:28 -0500, Jim Popovitch wrote:
> > On Thu, 2006-11-30 at 15:10 +0100, Francesco P. Lovergine wrote:
> > > This is unfortunately an effect of an issue with the old mod_delay patch.
> > > It's not an exploiting of the known issue. You have to either disable mod_delay or use
> > > 1.2.10-20sarge1 which is available at http://people.debian.org/~frankie/debian/sarge
> > > That is in use successfully since ages on high-load server like alioth.
> > > The sarge1 version also manages the 3 recent security issues.
> > So, should we use 1.2.10-20sarge1 or the just released 1.2.10-15sarge3?
My suggestion is using the not-official 1.2.10-20sarge1 iff you are
experiencing segfaults on high-load servers and you wouldn't
to set mod_delay use off for security concerns.
Francesco P. Lovergine