Date: Tue, 21 Jan 2003 19:14:08 +0200 From: Maxim Sobolev <sobomax@portaone.com> To: "Crist J. Clark" <cjc@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/libexec/ftpd ftpd.c Message-ID: <3E2D7FE0.A89831BC@portaone.com> References: <200301210513.h0L5D2DB061636@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Crist J. Clark" wrote: > > cjc 2003/01/20 21:13:02 PST > > Modified files: > libexec/ftpd ftpd.c > Log: > The FTP daemon was vulnerable to a DoS where an attacker could bind() > up port 20 for an extended period of time and thus lock out all other > users from establishing PORT data connections. Don't hold on to the > bind() while we loop around waiting to see if we can make our > connection. > > Being a DoS, it has security implications, giving it a short MFC > time. Huh? What DoS and security implications you are talking about? Without having root, an user will be unable to bind on port 20 anyway, and this is default behaviour of FreeBSD. Therefore, I don't tnink that a short MFC timeframe and subsequent merging into security branches are really justified. -Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2D7FE0.A89831BC>