Basically the thing to do these days is : upgrade everything.
OpenSSH needs to be upgraded to 3.4 .
Apache needs to be upgraded to 1.3.26 .
mod_ssl needs to be upgraded to 2.8.10 .
But the worst part is the libc resolver bug. In case you missed it, a
serious and remotely exploitable vulnerability has been found in various
libc. At least NetBSD, OpenBSD and FreeBSD are vulnerable. The result is not
a vulnerability in a specific command. Almost any TCP/IP network related
program is vulnerable, including pure-ftpd. Patching and recompiling the C
library is not enough, as there are also statically linked programs that can
contain the buggy code.
There have been some discussions saying that if all your queries are going
through a Bind 9 cache, you have a good band-aid for the resolver bug. On
the other hand, the official FreeBSD advisory says that there's no workaround.
So: time to upgrade everything, or maybe rebuild everything from a clean
install. As an immediate workaround, try to disable DNS resolution in all
your daemons. For pure-ftpd, using the -H switch may keep it safe.
I'm sorry, this thread isn't directly related to pure-ftpd, but as 99.9%
of people here are concerned, this is not off-topic. It's probably better to
read the same thing in 10 different locations than having his box compromised.
--
__ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/