![[LWN Logo]](/images/lwn.banner.gif)
Date: Wed, 8 Sep 1999 05:27:02 -0500 From: MacGyver <macgyver@TOS.NET> Subject: ProFTPD 1.2.0pre5 To: BUGTRAQ@SECURITYFOCUS.COM Just a quick note to folks -- I've released ProFTPD 1.2.0pre5. This release should *CORRECTLY* address the security issues pointed out earlier. Some release notes: 1) There's been a decent security review of the code. I won't claim that there are no holes, but we've gone through and addressed every potential area we can think of. To my knowledge, there are no unsafe buffer copies taking place in pre5. If you find any, please drop me a line or better yet, a patch. :) I've eliminated all use of nasty things like strcpy, sprintf, and friends, which should help. 2) The patches that have been posted both to BUGTRAQ and the ProFTPD mailing lists do **NOT** fix the security hole in ProFTPD. You need to get ProFTPD pre5 for that. So let me repeat it again: THE PATCHES PREVIOUSLY RELEASED BY OTHERS TO BUGTRAQ AND THE PROFTPD LISTS DO NOT WORK, AND IN AT LEAST TWO CASES HAVE **CREATED** HOLES. PLEASE OBTAIN PRE5 WHICH SHOULD ADDRESS THESE ISSUES. 3) The CVS repository on proftpd.org is live again, for now anyway. :) For those who prefer CVS, you can grab the latest from the same place as always. 4) A couple of Y2K issues were discovered and corrected in ProFTPD. 5) I'd like to thank everyone who offered me the use of a FreeBSD system for testing purposes. I finally got around to installing a few more gig on my drive, and through the lovely magic of VMWare (www.vmware.com), I got a VM going with FreeBSD on it that I've been using for testing. ProFTPD is known to compile and run on FreeBSD 3.2 out of the box. 6) There's a new directive, by popular request: Bandwidth. It allows you to (obviously) limit the bandwidth of a given connection. That's about it. Enjoy. One last note for Solaris, Linux, and FreeBSD users at least: ProFTPD's configuration will automagically probe to see if you have PAM, and if you do, it *WILL* use it. This is why Solaris people have reported problems missing shadow support, I suspect. THIS IS BY DESIGN. PAM is an inherently more flexible and standardized way to do authentication security, and whenever possible, ProFTPD will try to use it. It eliminates a lot of ugly, problematic code, and makes it easy to support C2 and trusted systems with PAM support. I've tested PAM on Linux and FreeBSD. I've got no access to Solaris right now, sorry. Please take a look at your system documentation for more information about PAM, as well as the sample PAM configuration file in the contrib directory. For general ProFTPD questions/support, please email proftpd@proftpd.net. MacGyver.