From owner-freebsd-security Wed Apr 11 2:19: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id DE95B37B424 for ; Wed, 11 Apr 2001 02:18:55 -0700 (PDT) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.9.3/8.9.3) id RAA79266; Wed, 11 Apr 2001 17:18:43 +0800 (KRAST) (envelope-from eugen) Date: Wed, 11 Apr 2001 17:18:43 +0800 From: Eugene Grosbein To: Anton Vladimirov Cc: security@FreeBSD.ORG Subject: Re: ftp vulnerability Message-ID: <20010411171843.A78034@svzserv.kemerovo.su> References: <15739596567.20010411131004@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15739596567.20010411131004@mail.ru>; from admin128@mail.ru on Wed, Apr 11, 2001 at 01:10:04PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 11, 2001 at 01:10:04PM +0400, Anton Vladimirov wrote: > I run FreeBSD 4.0-RELEASE with all security patches applied. > Could anyone clearly explain how to fix the recent > ftpd hole for this version? You can use workaround: put a record into /etc/login.conf: anonftp:\ :datasize=16M:\ :stacksize=8M:\ :memoryuse=16M:\ :priority=5:\ :tc=default: Choose values suitable for you. Then do cap_mkdb /etc/login.conf and set login class of user 'ftp' to anonftp. This will prevent exloiting this hole. Eugene To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message