[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Unofficial ProFTPD-1.2.8p PKGs available (but dont' blindly install them!)
- Subject: [cobalt-security] Unofficial ProFTPD-1.2.8p PKGs available (but dont' blindly install them!)
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 24 Sep 2003 03:09:08 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
I just rolled up ProFTPD-1.2.8p (p = patched) for the RaQ3, RaQ4, RaQ XTR,
RaQ550 and Qube3. These PKGs address the security vulnerability which was
announced earlier on http://xforce.iss.net/xforce/alerts/id/154
HOWEVER:
There are a few gotchas attached.
First of all these PKGs have been put sewn with a hot needle at the end of a
workday which started ... uhm ... some 20 hours ago. :o/
Secondly this packages cannot be uninstalled and I can already guarantee that
there will be problems is you install the unofficial ProFTPD update now and
then (at a later time) the official ProFTPD update from Sun Cobalt on top of
it.
So this PKGs are only for the impatient power users who are able to manually
edit /etc/proftpd.conf once a Sun Cobalt PKG comes out which fixes ProFTPD.
Or for those users who willingly want to skip future Sun Cobalt PKGs which
contain ProFTPD updates.
I really don't know if StackGuard will catch the buffer overflow which this
newly detected vulnerability describes. It could possibly be that we're
already sufficiently protected due to StackGuard. So it is up to you if you
want to take a possibly fatally flawed PKG (which might kill your FTP
server), or if you'd like to wait for the official fix.
In any case: Be sure to read all the info related to ProFTPD on the download
page:
http://www.solarspeed.net/downloads/index.php
- --
With best regards,
Michael Stauber
Solarspeed.net
Public PGP Key: https://www.solarspeed.net/mstauber.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/cO64EcjLwmf9gR4RAiSaAJwMczbon3mGext1asXndSG+pOvD1QCgxZjG
x4OnrC6GS/7faho+J5+Z6Kc=
=Bi47
-----END PGP SIGNATURE-----