Subject: Re: rfc2228 in ftpd
To: John Nemeth <>
From: None <>
List: tech-security
Date: 07/01/2002 09:22:30
>it around like magic dust.  Also, given that they sounded a major panic
>unnecessarily, I don't trust them.  They made it seem like I had to
>update all 20+ systems on the spot, when there was no need to update
>any of them, except to make a config change on a handful.  They just
>happen to be the best choice available at the moment.  However, I would
>really really like an alternative.

	there were reasons why they couldn't annouce the config file workaround
	when 3.3 release was made.
	- saying "disabling challenge authenticaiton will make you safe"
	  will make the location of the bug apparent, letting script kiddies
	  create attack code in less than a day
	  (and in fact, did you see posting on bugtraq?  in fact attack
	  code appeared in less than a day)
	- ditto for "disabling protocol version 2"

	i suggested markus to include the reasoning behind the way 3.3 -> 3.4
	upgrade path was annouced.  i think it will help a lot of people to
	understand why it had to be handled this way.