Subject: Re: Secure FTP on NetBSD/LINUX
To: Todd Gruhn <tgruhn2@mail.com>
From: Noah L. Meyerhans <frodo@morgul.net>
List: netbsd-users
Date: 06/09/2002 23:04:51
--DH4/xewco2zMcht6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Jun 08, 2002 at 09:30:50PM +0800, Todd Gruhn wrote:
> I decided to scan my network (2 hosts) with SAINT.
> DEBIAN LINUX has wu-ftpd running, it will surrender
> root via the buffer overflow attack (or so SAINT says).
> I WANT THAT FIXED!
This is a very well known problem. Assuming you have Debian's security
sources in apt's sources.list, you are safe. Debian makes the minimal
changes necessary to close a security bug, and does not change the
version number. SAINT is just looking at the version number reported by
wu-ftpd and saying "Hey, this is the same version that has a remote root
hole!".
> My 2 NetBSD hosts do not suffer such a problem. SO, the next
> logical Q is: what version of ftpd comes with a stock NetBSD
> system? LukemFTP? Thats what the manpage alludes to...
> Will it install on LINUX? Any advice here?
Not only will it install on Linux, but it is packaged for Debian (at
least for the upcoming woody (3.0) release). However, if you scan the
bugtraq archives from a month or so ago, you'll see that lukemftpd is
not entirely without security issues of its own.
noah
--=20
_______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html=20
--DH4/xewco2zMcht6
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9BBdSYrVLjBFATsMRAptnAJ9MvmFR4ftOeqqPAFFM4h7U74nasgCeKpuh
Zwb3Xc0B6cib3PzcGk8TSBY=
=hzRU
-----END PGP SIGNATURE-----
--DH4/xewco2zMcht6--