On 3/29/02 3:40 PM martin f krafft said... >dear bugtraq'ers, > >i must confess that the information i provided wrt the acclaimed DoS >exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was >not fully accurate. the package *does in fact contain a buggy daemon* >despite having been fixed, according to the changelog: > > proftpd (1.2.0pre10-2.0potato1) stable; urgency=high
<snip> >i don't think it's necessary to discuss this; the daemon as packaged >by debian is buggy and that has to be fixed. but i hope i was able to >give you some more information on the extent of the exploit. i will >do my best to push a fixed package into the APT archive at >security.debian.org as soon as possible. Plus 1.2.0 went final back in January 2001. It's been out for over a year. Many versions without this bug have been released for some time. I don't see any reason to beat a dead horse. Any distribution that still ships anything older than 1.2.4 should simply make 1.2.4 available in the updates or errata. -- Justin Shore, ES-SS ES-SSR Pittsburg State University Network & Systems Manager Kelce 157Q Office of Information Systems Pittsburg, KS 66762 Voice: (620) 235-4606 Fax: (620) 235-4545 http://www.pittstate.edu/ois/ Warning: This message has been quadruple Rot13'ed for your protection. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]