i dont have the date of the post..i rm my mail weekly ..didnt know about the weekly news thing i knew it existed but never read it yet.. i did/do check freshmeat/linuxtoday/linuxweeklynews/bugtraq/(others?) regularly and never saw a mention.
nate ----------------------------------------[mailto:[EMAIL PROTECTED] ]-- Linux System Administrator http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336 http://www.linuxpowered.net/ Powered By: http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMP http://yahoo.aphroland.org/ -----------------------------------------[mailto:[EMAIL PROTECTED] ]-- On Sat, 16 Oct 1999, Bryan Scaringe wrote: > Actually, .t has been mentioned in Debian Weekly News. > > Proftpd seems like it was designed with security in mind, > much more so than wu-ftpd. Do you remember the date of that post > that discussed the design flaws? I'd like to read it. > > proftpd just switched primary developers. As such, it's > receiving a major over-haul. Now they're trying to shake the last of > the bugs out for 1.2.0. That's where all those proftpd-1.2.0preX > versions are comming from. > > offtopic: One of the hols that was fixed a few weeks back stemmed > from the fact that something like this happened: > strncpy(acharbuffer, userinput, X) > which supposedly led to a buffer overflow. Could someone explain > how a buffer overflow could happen with strNcpy? I thought using > strNcpy pretty much stopped buffer overflows cold. > > Thanks, > Bryan > > > On 16-Oct-99 aphro wrote: > > i find it very suprising that there is not even a peep from debian > > developers about the massive security holes in proftpd and the minor ones > > in wu.ftpd ..virtually all the other distros announced. even if there is > > not a good fix people should be made aware not everyone watches bugtraq. > > > > unless the version(s) of proftpd in debian are safe? i read a post that > > talked about flaws in the very design of it, making it secure would > > require almost an entire re-write of the whole package. > > > > i posted to debian-user a few weeks back askin for help with this issue > > but never saw a reply(if there was sorry i must've missed it) > > > > nate > > (just tryin to watch out for fellow debian users) > > > > >