--===============2080990537==
Content-Type: multipart/alternative;
boundary="=====================_572038328==.ALT"

--=====================_572038328==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed

At 12:39 PM 11/22/2006, Dominique L Bouix wrote:
>On Thu, Nov 16, 2006 at 08:26:48AM -0800, Paul Hoffman wrote:
> > This is still of significant concern. Any news on the status? Has the
> > exploit been verified? Is a patch available?
> >


I do find it interesting that the CVE notice has now been amended to
include mitigating information, which the "reliable researcher" had
neglected to tell anyone about.
"Buffer overflow in ProFTPD 1.3.0 and earlier, when configured to use the
CommandBufferSize directive, allows remote attackers to cause a denial
of service, as demonstrated by vd_proftpd.pm, a "ProFTPD remote
exploit."
http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-5815

So my configs and the sample configs are not vulnerable. And very
probably neither are yours.

And, y'know, maybe I've had the wrong definition of remote exploit
all along, but I thought a DOS was an attack, that however did not
compromise a site, however much it might compromise the
_availability_ of the site. So this also seems like even more
back-pedaling as details become known.


>Linux vendors have begun releasing fixes for ProFTPd, including Mandriva and
>Debian. What is unclear is if these fixes are from the ProFTPd core team or
>patched by the vendors themselves.


I note that the CVS had a change checked into src/main.c by John
Morrissey only 4 days ago, and having to do very much with CommandBufferSize.
http://proftp.cvs.sourceforge.net/pr...94&sortby=date

Is this the 'fix'?


>TJ Saunders has not been active on the list since Nov 2nd. From what I've
>seen he's usually reacted very quickly to anything concerning security.
>Should we be concerned?


I guess it really comes down to the simple question:

Does this entire threat depend on the use of the
CommandBufferSize directive,
which would have to be manually added to any sample starting
configuration?

If so, then we have a new definition of "reliable researcher":
"not usually so _obviously_ profit-driven"


>Dominique
>
>I have CC'd this message to Mr Saunders.


--=====================_572038328==.ALT
Content-Type: text/html; charset="us-ascii"



At 12:39 PM 11/22/2006, Dominique L Bouix wrote:

On Thu, Nov 16, 2006 at
08:26:48AM -0800, Paul Hoffman wrote:

> This is still of significant concern. Any news on the status? Has
the

> exploit been verified? Is a patch available?

>


I do find it interesting that the CVE notice has now been amended to
include mitigating information, which the "reliable researcher"
had neglected to tell anyone about.

    "Buffer overflow in ProFTPD 1.3.0 and earlier,
when configured to use the

     CommandBufferSize directive, allows remote
attackers to cause a denial

     of service, as demonstrated by vd_proftpd.pm, a
"ProFTPD remote exploit."


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815


So my configs and the sample configs are not vulnerable.  And
very probably neither are yours.


And, y'know, maybe I've had the wrong definition of remote exploit all
along, but I thought a DOS was an attack, that however did not compromise
a site, however much it might compromise the _availability_ of the
site.  So this also seems like even more back-pedaling as details
become known.




Linux vendors have
begun releasing fixes for ProFTPd, including Mandriva and

Debian. What is unclear is if these fixes are from the ProFTPd core team
or

patched by the vendors themselves.


I note that the CVS had a change checked into src/main.c by John
Morrissey only 4 days ago, and having to do very much with
CommandBufferSize. 


http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.293&r2=1.294&sortby=date




Is this the 'fix'?




TJ Saunders has not
been active on the list since Nov 2nd. From what I've

seen he's usually reacted very quickly to anything concerning
security.

Should we be concerned?


I guess it really comes down to the simple question:


    Does this entire threat depend on the use of the
CommandBufferSize directive,

    which would have to be manually added to any sample
starting configuration?


If so, then we have a new definition of "reliable
researcher":

    "not usually so _obviously_ profit-driven"





Dominique


I have CC'd this message to Mr Saunders.



--=====================_572038328==.ALT--



--===============2080990537==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?p...rge&CID=DEVDEV
--===============2080990537==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ProFTPD Users List
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
--===============2080990537==--