On 08/18/11 18:14, Tim Howe wrote:
> Is anyone working on ProFTPd? Are there special difficulties with
> getting it working on OpenBSD, or has there just been a lack of
> interest?
>
> --TimH
>
>
Hi,
proftpd used to be in the ports, a search would show that, and reason
for the removal, security issues.
Has it improved - these might help...
"The ProFTPD Project team is sorry to announce that the Project's main FTP
server, as well as all of the mirror servers, have carried compromised
versions of the ProFTPD 1.3.3c source code, from the November 28 2010 to
December 2 2010. All users who run versions of ProFTPD which have been
downloaded and compiled in this time window are strongly advised to check
their systems for security compromises and install unmodified versions
of ProFTPD.
By analyzing log files recovered from the compromised server, we can
confirm that the primary FTP site was compromised earlier than
originally announced.
In addition to the previously reported period from 2010-Nov-28 to
2010-Dec-02, ftp.proftpd.org and the ProFTPD mirror network distributed
files with malicious content on 2010-Nov-16 between about 08:00 UTC and
13:00 UTC."
+ Fixes CVE-2011-1137 (badly formed SSH messages cause DoS). See
http://bugs.proftpd.org/show_bug.cgi?id=3586 for details.
+ Fixed sql_prepare_where() buffer overflow (Bug#3536)
+ Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925)
+ Fixed directory traversal bug in mod_site_misc
Back in the mail lists, a suggestion was to use pure-ftpd, rather
than proFTPd that is in the ports and maintained.
Regards
Nigel Taylor
