Bugtraq mailing list archives
Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1
From: MacGyver <macgyver () TOS NET>
Date: Wed, 26 Jul 2000 18:02:07 -0500
Just to comment briefly on this... It's unfortunate that people immediately push the panic button when they think they've discovered the 'next big security hole', be it in ProFTPD or any piece of software, and then post to a forum such as this that they've discovered this 'MAJOR SECURITY HOLE' -- in the obligatory all caps, of course. As has been mentioned by others: 1) Yes, there is a bug in ProFTPD. 2) No, it is not an exploit, and can only loosely, IMO, be characterized as a security hole -- and that's stretching it. 3) It will crash child servers when sent a line with a blank command. 4) This was fixed within about 10 minutes of the receipt of an email I saw on one of the ProFTPD lists regarding the matter. I wasn't notified by anyone that there was going to be a BUGTRAQ post about it, nor that there was an issue...I actually happened to see the message on the ProFTPD mailing list on the matter. So unfortunately, there wasn't any particular lead time given to the reporting of this issue. Had the author contacted me directly before posting, I suspect that the post wouldn't have ever been made, since this isn't really a security issue. The net effect of these types of posts are to reduce the confidence that people have in software, in this case one I maintain. Regardless of whether it's a real issue or not, the perception becomes 'oh, that program has had X posts on BUGTRAQ about it...it must be bad'. On the flip side, I would rather have people being overzealous about finding bugs, than not caring at all -- though with people crying wolf so often, it does become a bit of a challenge to strike the right balance of healthy paranoia versus downright alarmism. -MacGyver
Current thread:
- BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Carlos Eduardo Gorges (Jul 25)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Daniel Jacobowitz (Jul 26)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Rodrigo Barbosa (aka morcego) (Jul 26)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 Nic Bellamy (Jul 26)
- Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1 MacGyver (Jul 27)