Isn't this the default ftp server in SuSE? Does SuSE have it's own patches for this? If not it may be worth looking at this guys work. Happy New Year Everyone and good luck catching up with all the extra work created by the xmas/new year break! -Nix

Approved-By: beng@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com Date: Thu, 28 Dec 2000 13:13:30 -0800 Reply-To: bugtraq@THEOPHILUS.REACHIN.COM Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: "Trenholme, Sam" <bugtraq@THEOPHILUS.REACHIN.COM> Subject: Linux port of OpenBSD ftpd patched X-cc: david.madore@ens.fr, rrw@reptile.eu.org To: BUGTRAQ@SECURITYFOCUS.COM

I have patched David Madore's Linux port of OpenBSD's ftpd against the problems present in replydirname(). While the word is that Linux is not currently exploitable, it is better to be safe than sorry.

I have also patched against the setproctitle() problems previously reported here, even though they are a non-issue due to the manner David Madore ported OpenBSD's FTPD to Linux.

The patches are against the 0.2.3 release of ftpd-BSD (David Madore's name for the port), and are available in RPM format here:

http://www.samiam.org/rpms/

David Madore: Thank you for your hard work porting OpenBSD ftpd to Linux. I hope an official patched release will come to light soon.

- Sam

--- Nix - SuSE-Security FAQ Maintainer http://www.cotse.com/nix/suse-security-faq/