Re: BUG IN ALL PROFTP 1.2 VERSIONS ALSO RC1

[MacGyver <macgyver () TOS NET>]

Just to comment briefly on this...

It's unfortunate that people immediately push the panic button when they
think they've discovered the 'next big security hole', be it in ProFTPD or
any piece of software, and then post to a forum such as this that they've
discovered this 'MAJOR SECURITY HOLE' -- in the obligatory all caps, of
course.

As has been mentioned by others:

1) Yes, there is a bug in ProFTPD.

2) No, it is not an exploit, and can only loosely, IMO, be characterized as
a security hole -- and that's stretching it.

3) It will crash child servers when sent a line with a blank command.

4) This was fixed within about 10 minutes of the receipt of an email I saw
on one of the ProFTPD lists regarding the matter.

I wasn't notified by anyone that there was going to be a BUGTRAQ post about
it, nor that there was an issue...I actually happened to see the message on
the ProFTPD mailing list on the matter.  So unfortunately, there wasn't any
particular lead time given to the reporting of this issue.  Had the author
contacted me directly before posting, I suspect that the post wouldn't have
ever been made, since this isn't really a security issue.

The net effect of these types of posts are to reduce the confidence that
people have in software, in this case one I maintain.  Regardless of whether
it's a real issue or not, the perception becomes 'oh, that program has had X
posts on BUGTRAQ about it...it must be bad'.

On the flip side, I would rather have people being overzealous about finding
bugs, than not caring at all -- though with people crying wolf so often, it
does become a bit of a challenge to strike the right balance of healthy
paranoia versus downright alarmism.

-MacGyver