Date: Tue, 19 Oct 1999 00:00:00 GMT

Date: Tue, 19 Oct 1999 00:00:00 GMT
From: WU-FTPD Development Group <[email protected]>
To: WU-FTPD Questions <[email protected]>,
WU-FTPD Discussion List <[email protected]>,
WU-FTPD Announcements <[email protected]>,
FIRST Info <[email protected]>
Subject: WU-FTPD 2.6.0 Released

DISTRIBUTION RESTRICTIONS: FOR PUBLIC RELEASE

-----BEGIN PGP SIGNED MESSAGE-----

The WU-FTPD Development Group is pleased to announce the release of Version
2.6.0 of the WU-FTPD daemon.

This release includes a number of critical security enhancements and
corrections. All sites are strongly advised to upgrade to version 2.6.0
for maximum security.

Version 2.6.0 also provides a number of new features and corrections. A
summary of the changes appears below.

WU-FTPD Version 2.6.0 is available for download from the primary
distribution site:

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.0.tar.gz
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.0.tar.gz.asc
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.0.tar.Z
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.0.tar.Z.asc

MD5 sums for these files are:

2857df9511e3a188bf5b0d92e1f8b36f wu-ftpd-2.6.0.tar.Z
ea5832b6822adbce9f9d882994b8cc96 wu-ftpd-2.6.0.tar.Z.asc
652cfe4b59e0468eded736e7c281d16f wu-ftpd-2.6.0.tar.gz
83373918952617c5a6d480177c8dc74d wu-ftpd-2.6.0.tar.gz.asc

A full list of international mirrors appears at the end of this email.

###########################################################################

Security updates

o The SITE NEWER feature has been disabled. A compile-time option has
been added to re-enable it. See config.h.noac for more information on
this.

o Filename globs for LIST, NLST and SITE EXEC, as well as a few internal
uses, are simplified before processing. For example: */./../* becomes
just *. This prevents certain memory starvation DoS attacks.

o Fixed a bug in the restricted-uid/gid feature which could allow access
outside the user's home directory in some cases.

o Prevent buffer overruns when processing message files.

o Corrected an error in the MAPPING_CHDIR feature which could be used to
gain root privileges on the server.

o Anonymous users could access the server even though no class was
defined for them.

o A buffer overrun in the ftpshut command has been corrected. Since, on
most sites, the ftpshut command is only usable by the superuser, this
is not considered a security issue. If you have installed ftpshut with
suid-root permissions (not the default), then there is the possibility
this overrun could be used to leverage root permissions.

o Guest and anonymous logout was not recorded on Linux. Removed call to
updwtmp and returned to old method of updating the lastlog.

o A security deficency on SunOS 4.1, not having a working getcwd()
function, has been corrected by using the provided function.
Compilation bugs in the portable getcwd() function have been corrected.

o A bug in the parsing for the deny !nameserved ftpaccess clause has been
corrected.

Major additions

o Added the email-on-upload feature from BeroFTPD. See the ftpaccess man
page for defaults on these added ftpaccess clauses:

mailserver <hostname>
incmail <emailaddress>
mailfrom <emailaddress>
virtual <address> incmail <emailaddress>
virtual <address> mailfrom <emailaddress>
defaultserver incmail <emailaddress>
defaultserver mailfrom <emailaddress>

o Redhat added the -I option to disable RFC931 (AUTH/ident). Added to
the baseline so Redhat users don't see a loss of a feature. Setting
the timeout for rfc931 to zero will do the same thing in the ftpaccess
file.

o Added -V command-line option to View the copyright and exit.

o Added the privatepw command and documentation.

o Added Kent Landfield's NEWVIRT scheme for extensive virutal hosting.
See the updated documentation on virtual hosting for details.

o ftprestart has been added to the base daemon kit.

o Several new ftpaccess clauses have been added. These allow control of
the various timeouts used within the daemon. The new clauses are:

timeout accept <seconds>
timeout connect <seconds>
timeout data <seconds>
timeout idle <seconds>
timeout maxidle <seconds>
timeout RFC931 <seconds>

o Enhanced DNS extensions. This adds three ftpaccess clauses:

dns refuse_mismatch <filename> [override]
dns refuse_no_reverse <filename> [override]
dns resolveroptions [options]

o The daemon may now be built using GNU autoconf. This is in the early
stages and not all platforms may be supported. The old build system
will be maintained for at least the 2.6.0 release; until the major
platforms are all known to be supported.

o Two new ftpaccess clauses have been added. These allows the site admin
to selectively allow PORT and PASV data connections where the remote IP
address does not match the remote IP address on the control connection.
The new clauses are:

port-allow <class> [<addrglob> ...]
pasv-allow <class> [<addrglob> ...]

o Added an ftpaccess clause to enable TCP keepalives. This clause is:

keepalive <yes|no>

o You can now specify the xferlog filename for the default server just as
you can for the virtual hosts; in the ftpaccess file. The new clause
is:

xferlog <absolute path>

o Added an internal implementation of /bin/ls. Testing showed the code
was not quite ready for production use, so the feature has been
disabled and labeled experimental.

Major corrections

o Corrections for RFC compliance can break some clients. If possible, the
broken client should be updated, but a compile-time option has been
added. See the config.h.noac for more information on this.

o The test for whether restricted-uid/restricted-gid applied should have
been done before the chroot so it used the system /etc/passwd and
/etc/group files.

o deny-uid and deny-gid were being tested for anonymous users. Bad move,
it's too easy to forget to allow them. Use 'defaultserver private' to
keep anonymous users away.

o Correct the operation of the NLST command. Finally. mget should now
work as users expect it to.

o Make sure the signal context is restored when jumping out of signal
handlers. This was causing signal 11 on some systems.

o Support for non-ANSI/ISO compilers has been removed. You MUST have an
ANSI/ISO C compiler. This has been true for some time, all that has
changed is the (incomplete) support for older (K&R) compilers has been
removed.

o Myriad places where inactivity timeouts were not being properly
detected or handled have been corrected.

The directory listings now detect inactivity. The original NLST
did not which could lead to hanging daemons.

C FILE handles for data connections are now always flushed, then
the socket is shutdown cleanly before being closed.

As a side effect, the daemon now more often properly detects
incomplete transfers. This can lead, though, to the xferlog
showing the correct byte count (meaning the daemon read or wrote
that many bytes over the data connection), but still log the
transfer as incomplete (meaning the socket did not properly
shutdown so the client probably missed some data).

o The daemon will now wait for the transfer to complete before sending
'Transfer complete' or similar messages. This improves the daemon's
reliability for poorly written clients which take recipt of the message
as indication the transfer has completed rather than reading until the
connection closes.

o The daemon will no longer hang attempting to close the RFC931 socket
when the remote end is firewalled and does not respond to traffic for
this protocol. This was determined to be inappropriate handling of
SIGALRM; handling for this signal has been cleaned up throughout the
daemon.

Errata

o On Tru64 systems with C2 security enabled, real users cannot login.
This problem is being worked on.

###########################################################################

The PGP signing key for the WU-FTPD Development Group is available from:

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/PGP.public.key

with MD5 sum

6fc6f7279f833327017bbc3b6e753c96 PGP.public.key

###########################################################################

The primary distribution site for the WU-FTPD daemon is:

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/

Mirrors are available at the following sites:

Australia
---------
ftp://ftp.auscert.org.au/pub/mirrors/ftp.wu-ftpd.org/

ftp://mirror.aarnet.edu.au/pub/wu-ftpd/
http://mirror.aarnet.edu.au/pub/wu-ftpd/

Austria
-------
ftp://gd.tuwien.ac.at/infosys/servers/ftp/wu-ftpd/
http://gd.tuwien.ac.at/infosys/servers/ftp/wu-ftpd/

Canada
------
ftp://ftp.crc.ca/pub/packages/ftp/servers/wuarchive-ftpd-vr/

Estonia
-------
ftp://ftp.ut.ee/pub/unix/networking/wu-ftpd/

Germany
-------
ftp://ftp.dpn.de/pub/mirrors/wu-ftpd/
ftp://ftp.tu-clausthal.de:/pub/mirror/wu-ftpd/

Greece
------
ftp://ftp.hol.gr/pub/packages/wu-ftpd/

Hungary
-------
ftp://ftp.ahol.com/pub/mirrors/wu-ftpd/
ftp://ftp.kfki.hu/pub/infosystems/wu-ftpd/

Iceland
-------
ftp://ftp.gm.is/pub/wu-ftpd/

Ireland
-------
ftp://ftp.medianet.ie/mirrors/ftp.wu-ftpd.org/pub/wu-ftpd/

Israel
------
ftp://ftp.tau.ac.il/pub/unix/ftp/wu-ftpd/

Japan
-----

Ring Server Project
-------------------
ftp://ftp.ring.gr.jp/pub/net/wu-ftpd/
http://www.ring.gr.jp/archives/net/wu-ftpd/

ftp://ring.aist.go.jp/pub/net/wu-ftpd/
http://ring.aist.go.jp/archives/net/wu-ftpd/

ftp://ring.asahi-net.or.jp/pub/net/wu-ftpd/
http://ring.asahi-net.or.jp/archives/net/wu-ftpd/

ftp://ring.so-net.ne.jp/pub/net/wu-ftpd/
http://ring.so-net.ne.jp/archives/net/wu-ftpd/

ftp://ring.nacsis.ac.jp/pub/net/wu-ftpd/
http://ring.nacsis.ac.jp/archives/net/wu-ftpd/

ftp://ring.etl.go.jp/pub/net/wu-ftpd/
http://ring.etl.go.jp/archives/net/wu-ftpd/

Other Japan sites
-----------------
ftp://ftp.win.ne.jp/pub/network/wu-ftpd/

ftp://mirror.nucba.ac.jp/mirror/wu-ftpd/
http://mirror.nucba.ac.jp/mirror/wu-ftpd/

ftp://ftp.cin.nihon-u.ac.jp/pub/net/ftp/wu-ftpd-vr/

ftp://ftp.riken.go.jp/pub/net/wu-ftpd/

http://SunSITE.sut.ac.jp/pub/archives/packages/wu-ftpd/
ftp://SunSITE.sut.ac.jp/pub/archives/packages/wu-ftpd/

Norway
------
ftp://ftp.bitcon.no/pub/unix/networking/wu-ftpd/
http://archive.bitcon.no/pub/unix/networking/wu-ftpd/

Poland
------
ftp://ftp.task.gda.pl/pub/unix/ftp/wu-ftpd-vr/

ftp://giswitch.sggw.waw.pl/pub/unix/wu-ftpd/

Spain
-----
ftp://ftp.upc.es/pub/wu-ftpd/

Sweden
------
ftp://ftp.sunet.se/pub/nir/ftp/servers/wuarchive-ftpd/
http://ftp.sunet.se/pub/nir/ftp/servers/wuarchive-ftpd/

Switzerland
-----------
ftp://sunsite.cnlab-switch.ch/mirror/wu-ftpd/

Taiwan
------
ftp://ftp.nchu.edu.tw/pub/packages/wu-ftpd/
http://pds.nchu.edu.tw/pub/packages/wu-ftpd/

ftp://coda.nctu.edu.tw/pub/UNIX/wu-ftpd/

Turkey
------
ftp://ftp.ulak.net.tr/pub/wu-ftpd/
http://ftp.ulak.net.tr/pub/wu-ftpd/

United Kingdom
--------------
ftp://sunsite.org.uk/Mirrors/ftp.vr.net/pub/wu-ftpd/
http://sunsite.org.uk/Mirrors/ftp.vr.net/pub/wu-ftpd/

ftp://ftp.ox.ac.uk/pub/comp/security/COAST/mirrors/ftp.vr.net/

ftp://ftp.plig.org/pub/wu-ftpd/

United States
-------------

New York
--------
ftp://ftp.academy.rpi.edu/pub/wu-ftpd/

Ohio
----
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/

Texas
-----
ftp://ftp.landfield.com/wu-ftpd/wu-ftpd.org/
http://www.landfield.com/wu-ftpd/wu-ftpd.org/

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5

iQCVAwUBOAtCoA7NCCRiiFh1AQGSegP8CX7IatC8SQWE6uGwLV+QFBMgP6gmU3Di
pWci+U7O/6Ak6T2km3hUvSoebMN81VRHcBjNFZiC/ZcZ/VgzgEB+hxvHZ/Hu34ih
oA+iIGCFn9E49aBOY47jK7NzJvFYQ6+RTPKx9M6eFKPYUf83MdnlDUoDBawq1yvr
q33juMIKYjQ=
=w0z+
-----END PGP SIGNATURE-----