RE: security flaws in proftpd/wuftpd ?

[Bryan Scaringe <Bryan.Scaringe@computer.org>]

Actually, .t has been mentioned in Debian Weekly News.

Proftpd seems like it was designed with security in mind,
much more so than wu-ftpd.  Do you remember the date of that post
that discussed the design flaws?  I'd like to read it.

proftpd just switched primary developers.  As such, it's
receiving a major over-haul.  Now they're trying to shake the last of
the bugs out for 1.2.0.  That's where all those proftpd-1.2.0preX
versions are comming from.

offtopic: One of the hols that was fixed a few weeks back stemmed
from the fact that something like this happened:
        strncpy(acharbuffer, userinput, X)
which supposedly led to a buffer overflow.  Could someone explain
how a buffer overflow could happen with strNcpy?   I thought using
strNcpy pretty much stopped buffer overflows cold.

Thanks,
        Bryan


On 16-Oct-99 aphro wrote:
> i find it very suprising that there is not even a peep from debian
> developers about the massive security holes in proftpd and the minor ones
> in wu.ftpd ..virtually all the other distros announced.  even if there is
> not a good fix people should be made aware not everyone watches bugtraq.
> 
> unless the version(s) of proftpd in debian are safe? i read a post that
> talked about flaws in the very design of it, making it secure would
> require almost an entire re-write of the whole package.
> 
> i posted to debian-user a few weeks back askin for help with this issue
> but never saw a reply(if there was sorry i must've missed it)
> 
> nate
> (just tryin to watch out for fellow debian users)
> 
>