Re: tnftpd 20231001 released

To: Thomas Klausner <wiz%gatalith.at@localhost>
Subject: Re: tnftpd 20231001 released
From: Luke Mewburn <luke%mewburn.net@localhost>
Date: Sun, 1 Oct 2023 22:55:40 +1100


> On 1 Oct 2023, at 19:07, Thomas Klausner <wiz%gatalith.at@localhost> wrote:
> 
> On Sun, Oct 01, 2023 at 05:50:56PM +1100, Luke Mewburn wrote:
>> I've released tnftpd 20231001.
>> 
>> Changes in tnftpd from 20200704 to 20231001:
>> 
>>        Security fixes to improve error handling when switching UID/GID,
>>        and to prevent MLSD and MLST before authentication succeeds.
>> 
>>        Fix buffer overflows when counting users, and when authenticating
>>        using PAM.
> 
> Are any of these important enough that we should have an entry in pkg-vulnerabilities about them?
> 

I think so. The MLSD and MLST issues for sure, as listing files before authentication is bad. The buffer overflows were detected by shm@ with an address sanitizer: it's unclear if they're easily exploitable though.

>> The pkgsrc package net/tnftpd should be updated.
> 
> I've just done that.
> Thomas


Thanks.

Luke.

References:
- Re: tnftpd 20231001 released
  - From: Thomas Klausner

Prev by Date: Re: heads-up for macOS users re new ld(1) implementation
Next by Date: Re: heads-up for macOS users re new ld(1) implementation
Previous by Thread: Re: tnftpd 20231001 released
Indexes:

Home | Main Index | Thread Index | Old Index