Subject: Re: rfc2228 in ftpd
To: John Nemeth <email@example.com>
From: None <firstname.lastname@example.org>
Date: 07/01/2002 09:22:30
>it around like magic dust. Also, given that they sounded a major panic
>unnecessarily, I don't trust them. They made it seem like I had to
>update all 20+ systems on the spot, when there was no need to update
>any of them, except to make a config change on a handful. They just
>happen to be the best choice available at the moment. However, I would
>really really like an alternative.
there were reasons why they couldn't annouce the config file workaround
when 3.3 release was made.
- saying "disabling challenge authenticaiton will make you safe"
will make the location of the bug apparent, letting script kiddies
create attack code in less than a day
(and in fact, did you see posting on bugtraq? in fact attack
code appeared in less than a day)
- ditto for "disabling protocol version 2"
i suggested markus to include the reasoning behind the way 3.3 -> 3.4
upgrade path was annouced. i think it will help a lot of people to
understand why it had to be handled this way.