Date: Tue, 19 Oct 1999 00:00:00 GMT From: WU-FTPD Development Group To: WU-FTPD Questions , WU-FTPD Discussion List , WU-FTPD Announcements , FIRST Info Subject: WU-FTPD 2.6.0 Released DISTRIBUTION RESTRICTIONS: FOR PUBLIC RELEASE -----BEGIN PGP SIGNED MESSAGE----- The WU-FTPD Development Group is pleased to announce the release of Version 2.6.0 of the WU-FTPD daemon. This release includes a number of critical security enhancements and corrections. All sites are strongly advised to upgrade to version 2.6.0 for maximum security. Version 2.6.0 also provides a number of new features and corrections. A summary of the changes appears below. WU-FTPD Version 2.6.0 is available for download from the primary distribution site: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.0.tar.gz ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.0.tar.gz.asc ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.0.tar.Z ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.0.tar.Z.asc MD5 sums for these files are: 2857df9511e3a188bf5b0d92e1f8b36f wu-ftpd-2.6.0.tar.Z ea5832b6822adbce9f9d882994b8cc96 wu-ftpd-2.6.0.tar.Z.asc 652cfe4b59e0468eded736e7c281d16f wu-ftpd-2.6.0.tar.gz 83373918952617c5a6d480177c8dc74d wu-ftpd-2.6.0.tar.gz.asc A full list of international mirrors appears at the end of this email. ########################################################################### Security updates o The SITE NEWER feature has been disabled. A compile-time option has been added to re-enable it. See config.h.noac for more information on this. o Filename globs for LIST, NLST and SITE EXEC, as well as a few internal uses, are simplified before processing. For example: */./../* becomes just *. This prevents certain memory starvation DoS attacks. o Fixed a bug in the restricted-uid/gid feature which could allow access outside the user's home directory in some cases. o Prevent buffer overruns when processing message files. o Corrected an error in the MAPPING_CHDIR feature which could be used to gain root privileges on the server. o Anonymous users could access the server even though no class was defined for them. o A buffer overrun in the ftpshut command has been corrected. Since, on most sites, the ftpshut command is only usable by the superuser, this is not considered a security issue. If you have installed ftpshut with suid-root permissions (not the default), then there is the possibility this overrun could be used to leverage root permissions. o Guest and anonymous logout was not recorded on Linux. Removed call to updwtmp and returned to old method of updating the lastlog. o A security deficency on SunOS 4.1, not having a working getcwd() function, has been corrected by using the provided function. Compilation bugs in the portable getcwd() function have been corrected. o A bug in the parsing for the deny !nameserved ftpaccess clause has been corrected. Major additions o Added the email-on-upload feature from BeroFTPD. See the ftpaccess man page for defaults on these added ftpaccess clauses: mailserver incmail mailfrom virtual
incmail virtual
mailfrom defaultserver incmail defaultserver mailfrom o Redhat added the -I option to disable RFC931 (AUTH/ident). Added to the baseline so Redhat users don't see a loss of a feature. Setting the timeout for rfc931 to zero will do the same thing in the ftpaccess file. o Added -V command-line option to View the copyright and exit. o Added the privatepw command and documentation. o Added Kent Landfield's NEWVIRT scheme for extensive virutal hosting. See the updated documentation on virtual hosting for details. o ftprestart has been added to the base daemon kit. o Several new ftpaccess clauses have been added. These allow control of the various timeouts used within the daemon. The new clauses are: timeout accept timeout connect timeout data timeout idle timeout maxidle timeout RFC931 o Enhanced DNS extensions. This adds three ftpaccess clauses: dns refuse_mismatch [override] dns refuse_no_reverse [override] dns resolveroptions [options] o The daemon may now be built using GNU autoconf. This is in the early stages and not all platforms may be supported. The old build system will be maintained for at least the 2.6.0 release; until the major platforms are all known to be supported. o Two new ftpaccess clauses have been added. These allows the site admin to selectively allow PORT and PASV data connections where the remote IP address does not match the remote IP address on the control connection. The new clauses are: port-allow [ ...] pasv-allow [ ...] o Added an ftpaccess clause to enable TCP keepalives. This clause is: keepalive o You can now specify the xferlog filename for the default server just as you can for the virtual hosts; in the ftpaccess file. The new clause is: xferlog o Added an internal implementation of /bin/ls. Testing showed the code was not quite ready for production use, so the feature has been disabled and labeled experimental. Major corrections o Corrections for RFC compliance can break some clients. If possible, the broken client should be updated, but a compile-time option has been added. See the config.h.noac for more information on this. o The test for whether restricted-uid/restricted-gid applied should have been done before the chroot so it used the system /etc/passwd and /etc/group files. o deny-uid and deny-gid were being tested for anonymous users. Bad move, it's too easy to forget to allow them. Use 'defaultserver private' to keep anonymous users away. o Correct the operation of the NLST command. Finally. mget should now work as users expect it to. o Make sure the signal context is restored when jumping out of signal handlers. This was causing signal 11 on some systems. o Support for non-ANSI/ISO compilers has been removed. You MUST have an ANSI/ISO C compiler. This has been true for some time, all that has changed is the (incomplete) support for older (K&R) compilers has been removed. o Myriad places where inactivity timeouts were not being properly detected or handled have been corrected. The directory listings now detect inactivity. The original NLST did not which could lead to hanging daemons. C FILE handles for data connections are now always flushed, then the socket is shutdown cleanly before being closed. As a side effect, the daemon now more often properly detects incomplete transfers. This can lead, though, to the xferlog showing the correct byte count (meaning the daemon read or wrote that many bytes over the data connection), but still log the transfer as incomplete (meaning the socket did not properly shutdown so the client probably missed some data). o The daemon will now wait for the transfer to complete before sending 'Transfer complete' or similar messages. This improves the daemon's reliability for poorly written clients which take recipt of the message as indication the transfer has completed rather than reading until the connection closes. o The daemon will no longer hang attempting to close the RFC931 socket when the remote end is firewalled and does not respond to traffic for this protocol. This was determined to be inappropriate handling of SIGALRM; handling for this signal has been cleaned up throughout the daemon. Errata o On Tru64 systems with C2 security enabled, real users cannot login. This problem is being worked on. ########################################################################### The PGP signing key for the WU-FTPD Development Group is available from: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/PGP.public.key with MD5 sum 6fc6f7279f833327017bbc3b6e753c96 PGP.public.key ########################################################################### The primary distribution site for the WU-FTPD daemon is: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/ Mirrors are available at the following sites: Australia --------- ftp://ftp.auscert.org.au/pub/mirrors/ftp.wu-ftpd.org/ ftp://mirror.aarnet.edu.au/pub/wu-ftpd/ http://mirror.aarnet.edu.au/pub/wu-ftpd/ Austria ------- ftp://gd.tuwien.ac.at/infosys/servers/ftp/wu-ftpd/ http://gd.tuwien.ac.at/infosys/servers/ftp/wu-ftpd/ Canada ------ ftp://ftp.crc.ca/pub/packages/ftp/servers/wuarchive-ftpd-vr/ Estonia ------- ftp://ftp.ut.ee/pub/unix/networking/wu-ftpd/ Germany ------- ftp://ftp.dpn.de/pub/mirrors/wu-ftpd/ ftp://ftp.tu-clausthal.de:/pub/mirror/wu-ftpd/ Greece ------ ftp://ftp.hol.gr/pub/packages/wu-ftpd/ Hungary ------- ftp://ftp.ahol.com/pub/mirrors/wu-ftpd/ ftp://ftp.kfki.hu/pub/infosystems/wu-ftpd/ Iceland ------- ftp://ftp.gm.is/pub/wu-ftpd/ Ireland ------- ftp://ftp.medianet.ie/mirrors/ftp.wu-ftpd.org/pub/wu-ftpd/ Israel ------ ftp://ftp.tau.ac.il/pub/unix/ftp/wu-ftpd/ Japan ----- Ring Server Project ------------------- ftp://ftp.ring.gr.jp/pub/net/wu-ftpd/ http://www.ring.gr.jp/archives/net/wu-ftpd/ ftp://ring.aist.go.jp/pub/net/wu-ftpd/ http://ring.aist.go.jp/archives/net/wu-ftpd/ ftp://ring.asahi-net.or.jp/pub/net/wu-ftpd/ http://ring.asahi-net.or.jp/archives/net/wu-ftpd/ ftp://ring.so-net.ne.jp/pub/net/wu-ftpd/ http://ring.so-net.ne.jp/archives/net/wu-ftpd/ ftp://ring.nacsis.ac.jp/pub/net/wu-ftpd/ http://ring.nacsis.ac.jp/archives/net/wu-ftpd/ ftp://ring.etl.go.jp/pub/net/wu-ftpd/ http://ring.etl.go.jp/archives/net/wu-ftpd/ Other Japan sites ----------------- ftp://ftp.win.ne.jp/pub/network/wu-ftpd/ ftp://mirror.nucba.ac.jp/mirror/wu-ftpd/ http://mirror.nucba.ac.jp/mirror/wu-ftpd/ ftp://ftp.cin.nihon-u.ac.jp/pub/net/ftp/wu-ftpd-vr/ ftp://ftp.riken.go.jp/pub/net/wu-ftpd/ http://SunSITE.sut.ac.jp/pub/archives/packages/wu-ftpd/ ftp://SunSITE.sut.ac.jp/pub/archives/packages/wu-ftpd/ Norway ------ ftp://ftp.bitcon.no/pub/unix/networking/wu-ftpd/ http://archive.bitcon.no/pub/unix/networking/wu-ftpd/ Poland ------ ftp://ftp.task.gda.pl/pub/unix/ftp/wu-ftpd-vr/ ftp://giswitch.sggw.waw.pl/pub/unix/wu-ftpd/ Spain ----- ftp://ftp.upc.es/pub/wu-ftpd/ Sweden ------ ftp://ftp.sunet.se/pub/nir/ftp/servers/wuarchive-ftpd/ http://ftp.sunet.se/pub/nir/ftp/servers/wuarchive-ftpd/ Switzerland ----------- ftp://sunsite.cnlab-switch.ch/mirror/wu-ftpd/ Taiwan ------ ftp://ftp.nchu.edu.tw/pub/packages/wu-ftpd/ http://pds.nchu.edu.tw/pub/packages/wu-ftpd/ ftp://coda.nctu.edu.tw/pub/UNIX/wu-ftpd/ Turkey ------ ftp://ftp.ulak.net.tr/pub/wu-ftpd/ http://ftp.ulak.net.tr/pub/wu-ftpd/ United Kingdom -------------- ftp://sunsite.org.uk/Mirrors/ftp.vr.net/pub/wu-ftpd/ http://sunsite.org.uk/Mirrors/ftp.vr.net/pub/wu-ftpd/ ftp://ftp.ox.ac.uk/pub/comp/security/COAST/mirrors/ftp.vr.net/ ftp://ftp.plig.org/pub/wu-ftpd/ United States ------------- New York -------- ftp://ftp.academy.rpi.edu/pub/wu-ftpd/ Ohio ---- ftp://ftp.wu-ftpd.org/pub/wu-ftpd/ Texas ----- ftp://ftp.landfield.com/wu-ftpd/wu-ftpd.org/ http://www.landfield.com/wu-ftpd/wu-ftpd.org/ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5 iQCVAwUBOAtCoA7NCCRiiFh1AQGSegP8CX7IatC8SQWE6uGwLV+QFBMgP6gmU3Di pWci+U7O/6Ak6T2km3hUvSoebMN81VRHcBjNFZiC/ZcZ/VgzgEB+hxvHZ/Hu34ih oA+iIGCFn9E49aBOY47jK7NzJvFYQ6+RTPKx9M6eFKPYUf83MdnlDUoDBawq1yvr q33juMIKYjQ= =w0z+ -----END PGP SIGNATURE-----