RE: security flaws in proftpd/wuftpd ?

To: Bryan Scaringe <Bryan.Scaringe@computer.org>
Cc: debian-user@lists.debian.org
Subject: RE: security flaws in proftpd/wuftpd ?
From: aphro <nate@firetrail.com>
Date: Sat, 16 Oct 1999 21:30:09 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.4.20.9910162128450.11273-100000@galactica.firetrail.com>
In-reply-to: <[🔎] XFMail.991016213936.Bryan.Scaringe@computer.org>

i dont have the date of the post..i rm my mail weekly ..didnt know about
the weekly news thing i knew it existed but never read it yet.. i did/do
check freshmeat/linuxtoday/linuxweeklynews/bugtraq/(others?) regularly and
never saw a mention.

nate

----------------------------------------[mailto:aphro@aphroland.org ]--
      Linux System Administrator           http://www.firetrail.com/
  Firetrail Internet Services Limited      http://www.aphroland.org/
       Everett, WA 425-348-7336            http://www.linuxpowered.net/
            Powered By:                    http://comedy.aphroland.org/
    Debian 2.1 Linux 2.0.36 SMP            http://yahoo.aphroland.org/
-----------------------------------------[mailto:aphro@netquest.net ]--

On Sat, 16 Oct 1999, Bryan Scaringe wrote:

> Actually, .t has been mentioned in Debian Weekly News.
> 
> Proftpd seems like it was designed with security in mind,
> much more so than wu-ftpd.  Do you remember the date of that post
> that discussed the design flaws?  I'd like to read it.
> 
> proftpd just switched primary developers.  As such, it's
> receiving a major over-haul.  Now they're trying to shake the last of
> the bugs out for 1.2.0.  That's where all those proftpd-1.2.0preX
> versions are comming from.
> 
> offtopic: One of the hols that was fixed a few weeks back stemmed
> from the fact that something like this happened:
>         strncpy(acharbuffer, userinput, X)
> which supposedly led to a buffer overflow.  Could someone explain
> how a buffer overflow could happen with strNcpy?   I thought using
> strNcpy pretty much stopped buffer overflows cold.
> 
> Thanks,
>         Bryan
> 
> 
> On 16-Oct-99 aphro wrote:
> > i find it very suprising that there is not even a peep from debian
> > developers about the massive security holes in proftpd and the minor ones
> > in wu.ftpd ..virtually all the other distros announced.  even if there is
> > not a good fix people should be made aware not everyone watches bugtraq.
> > 
> > unless the version(s) of proftpd in debian are safe? i read a post that
> > talked about flaws in the very design of it, making it secure would
> > require almost an entire re-write of the whole package.
> > 
> > i posted to debian-user a few weeks back askin for help with this issue
> > but never saw a reply(if there was sorry i must've missed it)
> > 
> > nate
> > (just tryin to watch out for fellow debian users)
> > 
> >
>

Reply to:

References:
- RE: security flaws in proftpd/wuftpd ?
  - From: Bryan Scaringe <Bryan.Scaringe@computer.org>

Prev by Date: Re: How's the CDROM problem, solved?
Next by Date: Re: dselect can not allocate memory
Previous by thread: RE: security flaws in proftpd/wuftpd ?
Next by thread: WMPPP.APP and transfer rate
Index(es):
- Date
- Thread