Module Name: othersrc Committed By: lukem Date: Sun Sep 24 01:23:17 UTC 2023
Modified Files: othersrc/libexec/tnftpd: ChangeLog NEWS Log Message: update ChangeLog for yesterday's improvements To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 othersrc/libexec/tnftpd/ChangeLog cvs rdiff -u -r1.15 -r1.16 othersrc/libexec/tnftpd/NEWS Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: othersrc/libexec/tnftpd/ChangeLog diff -u othersrc/libexec/tnftpd/ChangeLog:1.64 othersrc/libexec/tnftpd/ChangeLog:1.65 --- othersrc/libexec/tnftpd/ChangeLog:1.64 Sat Jul 4 06:49:19 2020 +++ othersrc/libexec/tnftpd/ChangeLog Sun Sep 24 01:23:17 2023 @@ -1,6 +1,40 @@ -$NetBSD: ChangeLog,v 1.64 2020/07/04 06:49:19 lukem Exp $ +$NetBSD: ChangeLog,v 1.65 2023/09/24 01:23:17 lukem Exp $ -Sat Jul 4 06:40:38 UTC 2020 lukem +Sat Sep 23 05:39:49 UTC 2023 lu...@netbsd.org + + * Security fixes: + * CVE-2020-7468: Improve error handling when switching UID/GID. + * Prevent MLSD and MLST before authentication succeeds. + + * Update to NetBSD-ftpd 20230922: + * Treat failed chdir/chroot for guest and chroot accounts as + fatal. Also treat failed set{e,}(u,g}id calls as fatal. + Addresses CVE-2020-7468, via FreeBSD. + * Improve seteuid error handling, per suggestion by Simon + Josefsson. + * Add missing check_login checks for MLST and MLSD. + + * Sync libnetbsd replacements with NetBSD upstream: + * Replace fgetln() with tools/compat implementation that + handles embedded NULs. + * Fix inet_net_pton() to avoid integer overflow in bits. + * Fix inet_ntop() to set errno when returning NULL. + * Fix inet_pton() to improve hex formatting. + * Fix sl_add() to not update size unless realloc() succeeds. + + * Improve portability on NetBSD by providing own setprogname() + and getprogname(), instead of defining global __progname. + + * Update example ftpusers to use example DNS and IP addresses. + + * Build fixes: + * Improve configure's display of detected features. + * Enable more POSIX extensions. + * Only replace glob() if required GLOB_ flags aren't available. + * Only replace fts_open() if required FTS_ flags aren't + available. + +Sat Jul 4 06:40:38 UTC 2020 lu...@netbsd.org * Release as "tnftpd 20200704". @@ -11,11 +45,11 @@ Sat Jul 4 06:40:38 UTC 2020 lukem * Increase some buffer sizes. * Rename blacklist to blocklist. -Sun Jun 2 05:56:12 UTC 2019 lukem +Sun Jun 2 05:56:12 UTC 2019 lu...@netbsd.org * Release as "tnftpd 20190602". -Tue Jan 29 23:12:52 UTC 2019 lukem +Tue Jan 29 23:12:52 UTC 2019 lu...@netbsd.org * Limit fnmatch(), fts(), strsuftollx() recursion to avoid DoS attacks. From Maksymilian Arciemowicz. @@ -56,13 +90,13 @@ Tue Jan 29 23:12:52 UTC 2019 lukem * Remove endorsement clause from some of my licenses. -Mon Mar 25 03:51:20 UTC 2013 lukem +Mon Mar 25 03:51:20 UTC 2013 lu...@netbsd.org * Release as "tnftpd 20130325" * Fix incorrect use of test(1) in configure. -Fri Mar 22 09:00:00 UTC 2013 lukem +Fri Mar 22 09:00:00 UTC 2013 lu...@netbsd.org * Release as "tnftpd 20130322" @@ -81,7 +115,7 @@ Fri Mar 22 09:00:00 UTC 2013 lukem * Reduce priority of syslog message if getpeername returns ENOTCONN. PR/18934 from Greg A Woods. -Wed Mar 24 12:34:09 UTC 2010 lukem +Wed Mar 24 12:34:09 UTC 2010 lu...@netbsd.org * Release as "tnftpd 20100324" @@ -89,7 +123,7 @@ Wed Mar 24 12:34:09 UTC 2010 lukem * Security fix; apply NetBSD popen.c 1.37: PR/43023: Bruce Cran: FTPD bug remote crash -Mon Jan 4 05:51:15 UTC 2010 lukem +Mon Jan 4 05:51:15 UTC 2010 lu...@netbsd.org * Regenerate .manin manual page sources from upstream sources. @@ -98,12 +132,12 @@ Mon Jan 4 05:51:15 UTC 2010 lukem * Distribute various files not shipped by default automake rules, to use 'make dist' instead of 'cvs export'. -Wed Dec 30 01:48:57 UTC 2009 lukem +Wed Dec 30 01:48:57 UTC 2009 lu...@netbsd.org * Release as "tnftpd 20091122" -Sat Nov 7 11:13:38 UTC 2009 lukem - +Sat Nov 7 11:13:38 UTC 2009 lu...@netbsd.org + * Convert to automake & libtool. * Rename config.h to tnftpd_config.h. @@ -121,7 +155,7 @@ Sat Nov 7 11:13:38 UTC 2009 lukem * Log both the hostname and numeric address. * Improve man page mdoc formatting -Sun Mar 1 03:10:40 UTC 2009 lukem +Sun Mar 1 03:10:40 UTC 2009 lu...@netbsd.org * fts_open.c: - Ensure fts_close() doesn't spuriously close fd 0, @@ -131,22 +165,22 @@ Sun Mar 1 03:10:40 UTC 2009 lukem damage. Received from OpenBSD via US-CERT as VU #590371. -Tue Dec 30 22:36:05 UTC 2008 lukem +Tue Dec 30 22:36:05 UTC 2008 lu...@netbsd.org * Fix the SIA implementation, per feedback from Onno van der Linden. -Sat Dec 20 07:41:22 UTC 2008 lukem +Sat Dec 20 07:41:22 UTC 2008 lu...@netbsd.org * Install into ${exec_prefix}/libexec instead of ${exec_prefix}/sbin -Fri Dec 19 05:08:56 UTC 2008 lukem +Fri Dec 19 05:08:56 UTC 2008 lu...@netbsd.org * Add support for Tru64 Security Integration Architecture (SIA) authentication. Patch from Onno van der Linden, with autoconf tests written by me. Refer to configure's --with-sia option. -Tue Oct 28 08:15:35 UTC 2008 lukem +Tue Oct 28 08:15:35 UTC 2008 lu...@netbsd.org * Perform the shadow password expiry checks using days rather than seconds, otherwise an sp_max of 99999 (default on Debian) would @@ -155,7 +189,7 @@ Tue Oct 28 08:15:35 UTC 2008 lukem locked out. Problem noted by Takashi SHIRAI. -Thu Oct 9 02:06:46 UTC 2008 lukem +Thu Oct 9 02:06:46 UTC 2008 lu...@netbsd.org * Tagged as "tnftpd-20081009". @@ -174,13 +208,13 @@ Thu Oct 9 02:06:46 UTC 2008 lukem * Don't assume that HAVE_STRUCT_PASSWD_PW_CHANGE means you have _PASSWORD_CHGNOW. -Mon Sep 29 00:56:00 UTC 2008 lukem +Mon Sep 29 00:56:00 UTC 2008 lu...@netbsd.org * Tagged as "tnftpd-20080929". * Updated version to "tnftpd 20080929". -Sat Sep 27 16:05:08 UTC 2008 lukem +Sat Sep 27 16:05:08 UTC 2008 lu...@netbsd.org * Tweak make's subdir traversal. @@ -194,7 +228,7 @@ Sat Sep 27 16:05:08 UTC 2008 lukem * Consistency tweaks in AC_MSG_CHECKING. -Sun Sep 21 16:34:30 UTC 2008 lukem +Sun Sep 21 16:34:30 UTC 2008 lu...@netbsd.org * Change RCSID from Id to NetBSD. @@ -216,27 +250,27 @@ Sun Sep 21 16:34:30 UTC 2008 lukem Both features from Rudolf Cejka. (FreeBSD's tnftpd port maintainer). -Sat Sep 20 01:47:15 UTC 2008 lukem +Sat Sep 20 01:47:15 UTC 2008 lu...@netbsd.org * Add fts_free() to complement fts_alloc(), and use instead of free(). Should avoid a memory leak on systems without ALIGNBYTES. -Wed Sep 17 03:43:14 UTC 2008 lukem +Wed Sep 17 03:43:14 UTC 2008 lu...@netbsd.org * Check for DIR.dd_fd, DIR.__dd_fd, and dirfd(), and provide a replacement dirfd() if possible. -Fri Aug 15 04:24:01 UTC 2008 lukem +Fri Aug 15 04:24:01 UTC 2008 lu...@netbsd.org * Improve "Configuration results" display. Fix handling of with_skey=auto. -Thu Jun 12 09:00:22 UTC 2008 lukem +Thu Jun 12 09:00:22 UTC 2008 lu...@netbsd.org * Search for and #include <sys/resource.h> after <sys/time.h>; fixes build on OS X 10.3.x. -Mon Jun 9 03:08:29 UTC 2008 lukem +Mon Jun 9 03:08:29 UTC 2008 lu...@netbsd.org * Tagged as "tnftpd-20080609". @@ -250,7 +284,7 @@ Mon Jun 9 03:08:29 UTC 2008 lukem password prompts. * Improve some debug logging related to PAM. -Sun Jun 1 06:04:00 UTC 2008 lukem +Sun Jun 1 06:04:00 UTC 2008 lu...@netbsd.org * Disable --with-skey by default. @@ -284,7 +318,7 @@ Sun Jun 1 06:04:00 UTC 2008 lukem * Add check for madvise(). -Sun Mar 9 21:05:10 UTC 2008 lukem +Sun Mar 9 21:05:10 UTC 2008 lu...@netbsd.org * Sync fts source with NetBSD: - Sync to src/include/fts.h 1.17 @@ -303,14 +337,14 @@ Sun Mar 9 21:05:10 UTC 2008 lukem * Support @EXEEXT@. Use .PHONY. -Tue Jul 24 00:06:52 UTC 2007 lukem +Tue Jul 24 00:06:52 UTC 2007 lu...@netbsd.org * Set YACC to @YACC@ so that AC_PROG_YACC DTRT on systems that only have bison. * Avoid an 'unused variable' warning. -Mon Jul 23 11:42:21 UTC 2007 lukem +Mon Jul 23 11:42:21 UTC 2007 lu...@netbsd.org * Don't use non-standard: u_char u_short u_int. Use uint32_t instead of u_int32_t. @@ -341,7 +375,7 @@ Mon Jul 23 11:42:21 UTC 2007 lukem * Explicitly exit(1) at the end of main(), to suppress a compile warning on certain systems. -Sun Jul 22 11:27:29 UTC 2007 lukem +Sun Jul 22 11:27:29 UTC 2007 lu...@netbsd.org * Sync to config.guess 2007-07-22, config.sub 2007-06-28. @@ -361,14 +395,14 @@ Sun Jul 22 11:27:29 UTC 2007 lukem - always use our arpa_ftp.h rather than trying to detect if FTP_NAMES works. -Mon Mar 19 01:00:19 UTC 2007 lukem +Mon Mar 19 01:00:19 UTC 2007 lu...@netbsd.org * Change the return value of the replacement gai_strerror() from "char *" to "const char *", to match the current standards. Problem noted by Thomas Klausner. -Mon Dec 18 04:08:33 UTC 2006 lukem +Mon Dec 18 04:08:33 UTC 2006 lu...@netbsd.org * Tagged as "tnftpd-20061217". @@ -376,7 +410,7 @@ Mon Dec 18 04:08:33 UTC 2006 lukem * Provide a replacement daemon(3) for systems that lack it. -Mon Dec 4 02:09:16 UTC 2006 lukem +Mon Dec 4 02:09:16 UTC 2006 lu...@netbsd.org * Tagged as "tnftpd-20061204". @@ -384,7 +418,7 @@ Mon Dec 4 02:09:16 UTC 2006 lukem * Added NEWS file back. -Wed Sep 27 05:22:18 UTC 2006 lukem +Wed Sep 27 05:22:18 UTC 2006 lu...@netbsd.org * Implement ftpd_poll() using poll(), or select() if poll() isn't available. Reenable -D, using ftpd_poll(). @@ -493,7 +527,7 @@ Mon Jul 25 15:31:21 UTC 2005 ginsbach * Update ftpd.c to NetBSD-ftpd 20041209 + Fix inverted test for aged passwords. -Wed Dec 1 09:17:50 UTC 2004 lukem +Wed Dec 1 09:17:50 UTC 2004 lu...@netbsd.org * Add autoconf test for struct passwd.pw_change @@ -506,13 +540,13 @@ Wed Dec 1 09:17:50 UTC 2004 lukem will not be allowed FTP access. Inspired by similar functionality in other FTP daemons. -Tue Aug 10 00:59:10 UTC 2004 lukem +Tue Aug 10 00:59:10 UTC 2004 lu...@netbsd.org * Tagged as "tnftpd-20040810". * Updated version to "tnftpd 20040810" -Tue Aug 10 00:48:58 UTC 2004 lukem +Tue Aug 10 00:48:58 UTC 2004 lu...@netbsd.org * BSD/OS 3.0 portability fixes from Jeremy C. Reed: * Use _POSIX_LOGIN_NAME_MAX if sysconf(_SC_LOGIN_NAME_MAX) @@ -557,11 +591,11 @@ Fri Dec 19 22:57:50 UTC 2003 grant * Honour --sysconfdir. -Thu Dec 18 00:49:31 UTC 2003 lukem +Thu Dec 18 00:49:31 UTC 2003 lu...@netbsd.org * Tagged & released as "tnftpd-20031217" -Wed Dec 17 01:44:40 UTC 2003 lukem +Wed Dec 17 01:44:40 UTC 2003 lu...@netbsd.org * Updated version to "tnftpd 20031217". @@ -572,7 +606,7 @@ Wed Dec 17 01:44:40 UTC 2003 lukem * Fix cut & paste botch in fallback #define for LLONG_MIN. (noted by Onno). -Tue Dec 16 02:13:49 UTC 2003 lukem +Tue Dec 16 02:13:49 UTC 2003 lu...@netbsd.org * Document how to enable large file support on Solaris. @@ -581,7 +615,7 @@ Tue Dec 16 02:13:49 UTC 2003 lukem * Rename HAVE_QUAD_SUPPORT to HAVE_WORKING_LONG_LONG. -Tue Dec 16 00:42:58 UTC 2003 lukem +Tue Dec 16 00:42:58 UTC 2003 lu...@netbsd.org * Updated version to "tnftpd 20031216". @@ -594,7 +628,7 @@ Tue Dec 16 00:42:58 UTC 2003 lukem * Convert the 4 clause UCB licensed code to the 3 clause license. -Wed Dec 10 02:30:19 UTC 2003 lukem +Wed Dec 10 02:30:19 UTC 2003 lu...@netbsd.org * tagged as "tnftpd 20031210" @@ -623,19 +657,19 @@ Wed Dec 10 02:30:19 UTC 2003 lukem in PR 22410 by Joel Baker, confirmed to the board by Jason Downs. With additional thanks to Jason Thorpe. -Wed Dec 10 01:33:35 UTC 2003 lukem +Wed Dec 10 01:33:35 UTC 2003 lu...@netbsd.org * replace netbsd.org with NetBSD.org as appropriate. * replace libnetbsd/fgetln.c with the better version that Christos wrote (as found in tnftp). -Thu Jul 31 09:10:49 UTC 2003 lukem +Thu Jul 31 09:10:49 UTC 2003 lu...@netbsd.org * work-around missing LLONG_MAX and LLONG_MIN on Darwin. Patch from Yuji Yamano. -Mon Mar 3 03:42:42 UTC 2003 lukem +Mon Mar 3 03:42:42 UTC 2003 lu...@netbsd.org * manually apply revs 1.75-1.76 from netbsd repo: - fix typos accidentally introduced in rev 1.70 @@ -644,18 +678,18 @@ Mon Mar 3 03:42:42 UTC 2003 lukem * replace missing sete[gi]uid() with setres[ug]id() if the latter exists. (for HP-UX) -Fri Feb 28 04:02:48 UTC 2003 lukem +Fri Feb 28 04:02:48 UTC 2003 lu...@netbsd.org * replace references to `ftpd' in manual pages with `tnftpd', update the dates, and regenerate the catdoc pages. -Thu Feb 27 03:15:51 UTC 2003 lukem +Thu Feb 27 03:15:51 UTC 2003 lu...@netbsd.org * tagged as "tnftpd 2.0 beta3" * only use MAP_FILE if its available -Wed Feb 26 14:51:51 UTC 2003 lukem +Wed Feb 26 14:51:51 UTC 2003 lu...@netbsd.org * fixes from Tetsuya Isaki: - provide adhoc definition of LOGIN_NAME_MAX for slackware 8.1 @@ -671,7 +705,7 @@ Wed Feb 26 14:51:51 UTC 2003 lukem - remove dummy "" arg from .Nm in man pages -Mon Feb 24 06:32:44 UTC 2003 lukem +Mon Feb 24 06:32:44 UTC 2003 lu...@netbsd.org * update to NetBSD-current 2003-02-23 - maintain a cwd cache @@ -685,7 +719,7 @@ Mon Feb 24 06:32:44 UTC 2003 lukem bound to for an extended period of time, locking out all other PORT connections. -Sun Dec 8 13:09:20 UTC 2002 lukem +Sun Dec 8 13:09:20 UTC 2002 lu...@netbsd.org * tagged as "tnftpd 2.0 beta2" @@ -695,41 +729,41 @@ Sun Dec 8 13:09:20 UTC 2002 lukem * update to NetBSD-current 2002-10-08 -Sat Oct 26 12:25:03 UTC 2002 lukem +Sat Oct 26 12:25:03 UTC 2002 lu...@netbsd.org * tagged as "tnftpd 2.0 beta1" -Sat Oct 26 03:24:45 UTC 2002 lukem +Sat Oct 26 03:24:45 UTC 2002 lu...@netbsd.org * renamed release to `tnftpd' * renamed `libukem' to `libnetbsd' -Wed Jun 5 12:57:46 UTC 2002 lukem +Wed Jun 5 12:57:46 UTC 2002 lu...@netbsd.org * don't bother checking if <glob.h> is usable since we're always compiling in our own glob.c -Thu May 23 02:43:41 UTC 2002 lukem +Thu May 23 02:43:41 UTC 2002 lu...@netbsd.org * released 1.2 beta 2 * replace fnmatch(3) if FNM_CASEFOLD isn't available -Sat Mar 16 01:28:28 UTC 2002 lukem +Sat Mar 16 01:28:28 UTC 2002 lu...@netbsd.org * libukem/glob.c: Fix two problems in the KNR->ANSI conversion noticed by Yuji Yamano. -Thu Mar 14 06:02:31 UTC 2002 lukem +Thu Mar 14 06:02:31 UTC 2002 lu...@netbsd.org * released 1.2 beta 1 -Thu Mar 14 05:39:24 UTC 2002 lukem +Thu Mar 14 05:39:24 UTC 2002 lu...@netbsd.org * libukem/snprintf.c: fix compile errors with gcc 3.x -Sat Mar 1 07:10:54 UTC 2002 lukem +Sat Mar 1 07:10:54 UTC 2002 lu...@netbsd.org * update to NetBSD-current 2002-03-01 User visible changes include: @@ -747,21 +781,21 @@ Sat Mar 1 07:10:54 UTC 2002 lukem - fix skey password challenge - don't try and use the motd directive if it's not set -Thu Feb 28 01:39:06 UTC 2002 lukem +Thu Feb 28 01:39:06 UTC 2002 lu...@netbsd.org * update libukem/glob.c from NetBSD's __glob13.c rev 1.22 and rev 1.23 -Wed May 9 02:04:08 UTC 2001 lukem +Wed May 9 02:04:08 UTC 2001 lu...@netbsd.org * released 1.1 -Sat Apr 28 07:13:57 UTC 2001 lukem +Sat Apr 28 07:13:57 UTC 2001 lu...@netbsd.org * released 1.1 beta 1 * determine if crypt() and getusershell() need declarations -Wed Apr 25 06:27:08 UTC 2001 lukem +Wed Apr 25 06:27:08 UTC 2001 lu...@netbsd.org * update to NetBSD-current 2001-04-25: - update copyrights @@ -776,7 +810,7 @@ Wed Apr 25 06:27:08 UTC 2001 lukem and adding a flag to struct tab, to indicate if or not it's acceptable for a command to occur OOB. -Tue Apr 17 08:20:09 UTC 2001 lukem +Tue Apr 17 08:20:09 UTC 2001 lu...@netbsd.org * look for <arpa/nameser.h> @@ -788,7 +822,7 @@ Tue Apr 17 08:20:09 UTC 2001 lukem * remove unused sverrno in warnx() and errx() -Fri Apr 13 16:02:40 UTC 2001 lukem +Fri Apr 13 16:02:40 UTC 2001 lu...@netbsd.org * improve test for long long support so that it's only enabled if printf supports %ll or %q and they do the right thing. @@ -802,11 +836,11 @@ Fri Apr 13 16:02:40 UTC 2001 lukem make checkportcmd address family independent, and correct IPv4 case. PR 12558. -Sun Apr 8 03:35:55 UTC 2001 lukem +Sun Apr 8 03:35:55 UTC 2001 lu...@netbsd.org * release 1.0 -Thu Apr 5 14:08:25 UTC 2001 lukem +Thu Apr 5 14:08:25 UTC 2001 lu...@netbsd.org * search for lockf and flock, and use the first found (in that order) to lock the pid files @@ -815,7 +849,7 @@ Thu Apr 5 14:08:25 UTC 2001 lukem - Fix sentinel for the buffer in globtilde. It was off by x 2. Noted by Theo. -Thu Mar 29 16:57:17 EST 2001 lukem +Thu Mar 29 16:57:17 EST 2001 lu...@netbsd.org * release 1.0 beta 4 @@ -834,12 +868,12 @@ Thu Mar 29 16:57:17 EST 2001 lukem * support --enable-builtinls (default) and --disable-builtinls -Sun Mar 18 10:14:17 UTC 2001 lukem +Sun Mar 18 10:14:17 UTC 2001 lu...@netbsd.org * detect if d_namlen exists in struct dirent, and use in fts_open() appropriately -Sun Mar 18 08:30:01 UTC 2001 lukem +Sun Mar 18 08:30:01 UTC 2001 lu...@netbsd.org * released 1.0 beta3 @@ -858,7 +892,7 @@ Sun Mar 18 08:30:01 UTC 2001 lukem - hardcode blocksize to 1K - remove support for nsec comparison in time sorting -Sat Mar 17 12:02:51 UTC 2001 lukem +Sat Mar 17 12:02:51 UTC 2001 lu...@netbsd.org * generate cat manpages @@ -887,7 +921,7 @@ Sat Mar 17 12:02:51 UTC 2001 lukem define to something sane if not found; certain platforms have a lobotomised <paths.h> -Fri Mar 16 08:27:09 EST 2001 lukem +Fri Mar 16 08:27:09 EST 2001 lu...@netbsd.org * in getusershell.c, remove __P() and const cruft @@ -895,7 +929,7 @@ Fri Mar 16 08:27:09 EST 2001 lukem * define _PATH_SHELLS if there's no <path.h> -Wed Mar 14 18:49:57 EST 2001 lukem +Wed Mar 14 18:49:57 EST 2001 lu...@netbsd.org * released 1.0 beta2 @@ -903,7 +937,7 @@ Wed Mar 14 18:49:57 EST 2001 lukem * replace missing vsyslog -Sat Mar 10 09:15:46 EST 2001 lukem +Sat Mar 10 09:15:46 EST 2001 lu...@netbsd.org * replace missing getusershell @@ -913,7 +947,7 @@ Sat Mar 10 09:15:46 EST 2001 lukem * prototype getusershell et al if missing -Fri Mar 9 06:27:08 EST 2001 lukem +Fri Mar 9 06:27:08 EST 2001 lu...@netbsd.org * released 1.0 beta1 @@ -924,6 +958,6 @@ Fri Mar 9 06:27:08 EST 2001 lukem * add strtoll() -Thu Feb 1 12:24:00 EST 2001 lukem +Thu Feb 1 12:24:00 EST 2001 lu...@netbsd.org * released 1.0 alpha Index: othersrc/libexec/tnftpd/NEWS diff -u othersrc/libexec/tnftpd/NEWS:1.15 othersrc/libexec/tnftpd/NEWS:1.16 --- othersrc/libexec/tnftpd/NEWS:1.15 Sat Jul 4 06:49:19 2020 +++ othersrc/libexec/tnftpd/NEWS Sun Sep 24 01:23:17 2023 @@ -1,7 +1,12 @@ -$NetBSD: NEWS,v 1.15 2020/07/04 06:49:19 lukem Exp $ +$NetBSD: NEWS,v 1.16 2023/09/24 01:23:17 lukem Exp $ This is tnftpd version 20200704. +Changes in tnftpd from 20200704 to unreleased: + + Security fixes to improve error handling when switching UID/GID, + and to prevent MLSD and MLST before authentication succeeds. + Changes in tnftpd from 20190602 to 20200704: Adapt to NetBSD blocklistd(8) service rename.