Date: Sun, 1 Nov 1998 12:00:00 -0500 (EST)
From: Gregory A Lundbeg <[email protected]>
To: WU-FTPD Discussion List <[email protected]>
Subject: [VR10] More enhancements and bug fixes for beta-18

The VR10 patch set for WU-FTPD 2.4.2 (beta-18) is now available.

SECURITY-UPDATE: This set includes the correction of a buffer overlow
problem in the realpath() function discussed recently on the BUGTRAQ
mailing list.  The error in realpath() exists in all prior versions of
WU-FTPD including 2.4, all Academ version 2.4.1 and 2.4.2 betas, all
versions of NEWVIRT, BeroFTPD prior to version 1.2.0, and any packages
derived from any of the above.  There are no known exploits for this error.
Users of all versions of WU-FTPD are strongly advised to upgrade.

This set also includes additional features requested over the years by the
user community and includes a number of bug fixes for both the base
(beta-18) release and earlier VR patch sets.

These are available as both patches and pre-patched tarballs at my ftp
site:

 ftp://ftp.vr.net/pub/wu-ftpd/

If you take just the patch files, please remember: they are cumulative.
you cannot apply fixes from one set without earlier sets already having
been applied.  The first set for BETA-18 is VR3; VR1 and VR2 were for
BETA-17 only.

Several pre-compiled binaries for VR9 are also available.  These include:

 Sun/SunOS
 ---------
 sunos41x-ftpbin.tar.gz  (FTP support executables, ls etc.)
 wu-ftpd-2.4.2-beta-18-vr10-SunOS-4.1.3_U1.tar.gz

 Sun/Solaris
 -----------
 FTP242b18.wu-ftpd.2.4.2-beta18-VR10.SPARC.ULTRASparc.2.5.1.2.5.pkg.tar.Z
 FTP242b18.wu-ftpd.2.4.2-beta18-VR10.SPARC.ULTRASparc.2.5.1.2.5.pkg.tar.gz
 wu-ftpd-2.4.2-beta-18-vr10-Solaris-2.6.tar.gz

 Sun/NetBSD
 ----------
 wu-ftpd-2.4.2-beta-18-vr10-NetBSD-sparc-1.3.2.tar.gz

 Sun/Linux
 ---------
 wu-ftpd-2.4.2-beta-18-vr10-linux-sparc.tar.gz

 SGI/IRIX
 --------
 irix62-ftpbin.tar.gz  (FTP support executables, ls etc.)
 wu-ftpd-2.4.2-beta-18-vr10-IRIX-6.2.tar.gz

 IBM/AIX
 -------
 wu-ftpd-2.4.2-beta-18-vr10-AIX.3.2.5.tar.gz

 DEC/Unix
 --------
 wu-ftpd-2.4.2-beta-18-vr10-OSF1-3.2-C2.tar.gz

 Intel/BSDI
 ----------
 wu-ftpd-2.4.2-beta-18-vr10-BSDI-2.1.tar.gz
 wu-ftpd-2.4.2-beta-18-vr10-BSDI-3.1.tar.gz

 Intel/Linux
 -----------
 wu-ftpd-2.4.2-beta-18-vr10.linux.i386.tar.gz

Thanks to all those who helped with debugging and built the pre-compiled
binaries.

This is a list of fixes to BETA 18 with VR9 applied from [email protected]
---------------------------------------------------------------------------
Wolfram Schmidt <[email protected]> pointed out on July 22, 1994,
the daemon does not use the correct method to choose the port for the data
connection in PORT mode.  More recently, Bernhard Rosenkraenzer
<[email protected]> added a -p option to BeroFTPD 1.0.12 which
allows the port to be specified for the control connection.  With this
patch the daemon will look up the data port in /etc/services.  Command-line
options are also provided to allow both the data and control port numbers
to be specified.

Recent discussions have pointed out the need for some high-volume sites to
bypass PID file processing.  Testing the daemon as a normal user also
points out the need for this.  This patch adds the -Q command-line option
to suppress access to the PID files.  NOTE: Without PID files, the limit
ftpaccess clause cannot determine the number of users in the given class.

AUTH (ident) the remote user during login.  Record the results in the
syslog.  Originally requested, with a suggested patch send to the mailing
list by [email protected] on Aug 24, 1997.  See next patch.

Nick Maclaren <[email protected]> sent a private email to wu-ftpd-bugs,
Bernard and me on Friday, October 16, 1998.  He had made a set of patches
to the base, beta-18, release which include a few bugfixes and some new
features:

 - RFC-931 (AUTH/IDENT) was finished up.  The log messages now show the
   RFC-931 user if one is known.

 - Support for some Hitachi flavors of Unix was added.

 - Major cleanup of build and the makefiles.  This was long overdue.  I
   have received several complaints that changing headers does not cause
   the code to recompile; he fixed that.  He missed checking for changes
   in the support library, so I added that.  Also, his changes presumed
   the user compiling the code was 'root' so I cleaned up so non-root
   can compile the daemon (this was mainly because I've cleaned up the
   file permissions in the release tarballs).

 - A number of minor fixes, mainly having to do with differences between
   ANSI/ISO and K&R C.  His comments about C9X (the next C standard) are
   bogus but his changes either were good ideas or pointed out where the
   code needed a bit of work.

I've added comments to his FIXES file where I've departed from his work.

Stan's TODO item 21 calls for access control by remote username if this was
authenticated using RFC-931.  Results from RFC-931 should not be used for
authentication.  Cancelling this item.

Stan's TODO item 3 calls for adding additional logging.  This was done in
easlier VR patch sets.  There is no reason to change to another log file.
Marking this item completed.

BeroFTPD has 'ls' implemented internally.  Marking Stan's TODO item 25
complete.

[email protected] pointed out the Perl xferstats wasn't updated to match the
new xferlog format with the new completion-code field on the end.

A recent discussion on BUGTRAQ pointed out a buffer-overrun in the realpath
function.  Bernard imported the FreeBSD realpath() function to correct this
error.  This closes Stan's TODO item 1.

--

Gregory A Lundberg              Senior Partner, VRnet Company
1441 Elmdale Drive              [email protected]
Kettering, OH 45409-1615 USA    1-800-809-2195

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.