From owner-freebsd-security Tue Apr 10 19:56:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id 7AEF237B422 for ; Tue, 10 Apr 2001 19:56:06 -0700 (PDT) (envelope-from keith.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id E8192155A; Tue, 10 Apr 2001 22:55:25 -0400 (EDT) Received: by osaka.louisville.edu (Postfix, from userid 15) id 2D73818613; Tue, 10 Apr 2001 22:55:28 -0400 (EDT) Date: Tue, 10 Apr 2001 22:55:28 -0400 From: Keith Stevenson To: Nicole Harrington Cc: freebsd-security@freebsd.org Subject: Re: FTPD ... (to: alexus) Message-ID: <20010410225527.A18857@osaka.louisville.edu> References: <01041018392603.11342@descrypt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from nmh@daemontech.com on Tue, Apr 10, 2001 at 04:38:59PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I gleaned the following from looking through the commit logs in my local copy of the source repository: Two files in src/libexec/ftpd appear to have been changed to address the globbing bug, ftpd.c and popen.c. The solution also appears to rely upon some changes made to libc. open.c ------- revision 1.20 (CURRENT) date: 2001/03/19 19:11:00; author: jlemon; state: Exp; lines: +3 -1 Teach ftpd about the new GLOB_MAXPATH flag. revision 1.18.2.2 (RELENG_4) date: 2001/03/21 14:40:37; author: jlemon; state: Exp; lines: +3 -1 MFC: globbing limits for ftpd. revision 1.15.2.2 (RELENG_3) date: 2001/04/08 00:15:00; author: jedgar; state: Exp; lines: +3 -1 MFC: globbing limits for ftpd ftpd.c ------ revision 1.74 (CURRENT) date: 2001/03/19 19:11:00; author: jlemon; state: Exp; lines: +10 -1 Teach ftpd about the new GLOB_MAXPATH flag. revision 1.62.2.9 (RELENG_4) date: 2001/03/21 14:40:36; author: jlemon; state: Exp; lines: +11 -1 MFC: globbing limits for ftpd. This indicates that the problem was addressed in CURRENT on 3/19, in 4.2-STABLE on 3/21, and was partially implemented in 3.5-STABLE on 4/8. (The ftpd.c portion of the fix does not seem to have been committed to the 3.5 branch.) Personally, I'd do a full cvsup to address this. I'm sure that lots of people will let me know if I've mis-stated anything. :) Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville keith.stevenson@louisville.edu GPG key fingerprint = 332D 97F0 6321 F00F 8EE7 2D44 00D8 F384 75BB 89AE On Tue, Apr 10, 2001 at 04:38:59PM -0700, Nicole Harrington wrote: > > Does anyone know this information?? > > "We have corrected these bugs in FreeBSD 5.0-CURRENT and FreeBSD 4.2-STABLE" > > Current and Stable are a moving targets. How can people just say these things. > I can assume, but we all know what that means. Stable as of When has the > patches. I can get the ftpd patch were if I don't want to do a full cvsup?? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message