[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Unofficial ProFTPD-1.2.8p PKGs available (but dont' blindly install them!)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I just rolled up ProFTPD-1.2.8p (p = patched) for the RaQ3, RaQ4, RaQ XTR, 
RaQ550 and Qube3. These PKGs address the security vulnerability which was 
announced earlier on http://xforce.iss.net/xforce/alerts/id/154

HOWEVER: 

There are a few gotchas attached. 

First of all these PKGs have been put sewn with a hot needle at the end of a 
workday which started ... uhm ... some 20 hours ago. :o/ 

Secondly this packages cannot be uninstalled and I can already guarantee that 
there will be problems is you install the unofficial ProFTPD update now and 
then (at a later time) the official ProFTPD update from Sun Cobalt on top of 
it.

So this PKGs are only for the impatient power users who are able to manually 
edit /etc/proftpd.conf once a Sun Cobalt PKG comes out which fixes ProFTPD. 
Or for those users who willingly want to skip future Sun Cobalt PKGs which 
contain ProFTPD updates.

I really don't know if StackGuard will catch the buffer overflow which this 
newly detected vulnerability describes. It could possibly be that we're 
already sufficiently protected due to StackGuard. So it is up to you if you 
want to take a possibly fatally flawed PKG (which might kill your FTP 
server), or if you'd like to wait for the official fix.

In any case: Be sure to read all the info related to ProFTPD on the download 
page:

	http://www.solarspeed.net/downloads/index.php

- -- 

With best regards,

Michael Stauber
Solarspeed.net

Public PGP Key: https://www.solarspeed.net/mstauber.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/cO64EcjLwmf9gR4RAiSaAJwMczbon3mGext1asXndSG+pOvD1QCgxZjG
x4OnrC6GS/7faho+J5+Z6Kc=
=Bi47
-----END PGP SIGNATURE-----