Date: Mon, 4 Mar 1999 01:00:00 -0500 (EST) From: Gregory A Lundberg To: WU-FTPD Discussion List Subject: [VR16] WU-FTPD-2.4.2-VR16 Released WU-FTPD-2.4.2-VR16 is now available. The VR updates for WU-FTPD include additional features requested over the years by the user community and include a number of bug fixes for both the base 2.4.2 release. This update merges the changes from WU-FTPD 2.4.2 (Beta 18) to WU-FTPD 2.4.2 (Release) into the VR series. These are available as both patches and pre-patched tarballs at: ftp://ftp.vr.net/pub/wu-ftpd/ A current mirrors listing is available at: fpt://ftp.vr.net/pub/wu-ftpd/MIRRORS MD5 Package --- ------- dfbe72dacd206024137841f5e10b6d1a wu-ftpd-2.4.2-vr16.tar.Z c2ceee93041032939ae06371c8ae913e wu-ftpd-2.4.2-vr16.tar.gz 435b768e7295b9727fc144db9b870ac1 wu-ftpd-2.4.2-vr16.patch If you take just the patch files, please remember: they are cumulative. you cannot apply fixes from one set without earlier sets already having been applied. The first set for BETA-18 is VR3; VR1 and VR2 were for BETA-17 only. The first set for WU-FTPD-2.4.2 is VR16; VR3 through VR15 were for BETA-18 only. A patch set covering the changes from BETA-18-VR15 to VR16 is available in the attic directory. Pre-compiled binaries for VR15 are available. Check the binaries directory to see if a pre-compiled version is available for your platform. Since no significant changes were made for VR16, there will be no binaries for it. This is a list of fixes to BETA 18 with VR15 applied from lundberg@vr.net --------------------------------------------------------------------------- WU-FTPD 2.4.2 FINAL RELEASE, FEBRUARY 26, 1999 If you missed it, it's because Stan Barber never announced it publicly. These changes represent the differences from WU-FTPD-2.4.2-BETA-18 to the released version, WU-FTPD-2.4.2. This is the first release of WU-FTPD 2.4.2 with VR upgrades. Two patch files are available for this VR update. - wu-ftpd-2.4.2-vr16.patch Contains all differences between 2.4.2 and 2.4.2-VR16. - wu-ftpd-2.4.2-beta-18-vr16.patch Contains the differences from 2.4.2-beta-18-vr15 to 2.4.2-vr16; this is available in the attic at ftp.vr.net to document the actual changes for this release. --------------------------------------------------------------------------- TODO list renumbered to match Stan's 2.4.2 TODO list. Documentation of unexpected behavior: upload no allowed directory creation. doc/examples/ftpaccess.heavy update as an example of this behavior. I believe this is NOT true for the VR versions, but have not tested as yet. Documentation clarification for ftphosts, ftp or anonymous listed in the file will disable anonymous ftp access. Possible pointer overrun in acl.c parsing ftpaccess corrected. Literal constant in ftpcmd.y changed to static to reduce program size. ftpcount/ftpwho interpretation of start/stop times made to match the way the daemon actually does it. setproctitle() in ftpd.c updated to avoid a buffer overrun and handle low memory conditions; SCO corrections. Possible buffer overrun parsing 'virtual root' and 'virtual logfile' corrected. A timeout timer was being reset at the wrong point during STOR. Corrections for Sun/Solaris paths in pathnames.h Makefile for DEC/Unix (dec and du4) changed from cc -std1 to cc -std. Correction in syslog support for DEC/Unix in support/syslog.c. util/xferstats corrected to parse your local domain name rather than just assuming you're academ.com. Other changes are white-noise or simply for style and do not effect the operation of the daemon in any way. VR-specific changes --------------------------------------------------------------------------- Reviewing the changes, I noted the makefile for hiu had a typo and would not install two manpages. No other changes from VR15 were made. -- Gregory A Lundberg Senior Partner, VRnet Company 1441 Elmdale Drive lundberg+wuftpd@vr.net Kettering, OH 45409-1615 USA 1-800-809-2195 -- The following message is included in the WU-FTPD-2.4.2 package but was never publicly posted to the WU-FTPD mailing lists. ---------- Forwarded message ---------- From: wu-ftpd-bugs@academ.com (Stan Barber) Subject: Academ version of wu-ftpd 2.4 Release 2 is available To: wu-ftpd@mail.wustl.edu,cert@cert.org Release 2 is now available. It has been tested on the following systems: BSD/OS 3.1 BSDI BSD/386 1.1 FreeBSD 2.2.7-RELEASE Slackware Linux 96 (3.1) Slackware Linux 3.3 Redhat Linux 5.1 Redhat Linux 5.2 SCO Open Server 5 Solaris 2.4 x86 (gcc 2.7.2.1) Solaris 2.5.1 x86 (gcc 2.7.2.3) Solaris 2.5.1 sparc (SunC 3.0.1) Solaris 2.6 sparc (SunC 3.0.1) Solaris 2.6 sparc (gcc 2.7.2.3) Solaris 2.6 x86 (gcc 2.7.2.3) SunOS 4.1.4 sparc (bundled cc) UnixWare 2.1.1 If hardware companies wish to donate equipment running their proprietary UNIX derivatives to me for doing maintenance work on this and the other packages I maintain (NNTP, RN, etc), please contact me directly to discuss. If software companies that sell UNIX derivatives I don't to which I don't have access wish to donain copies of their UNIX derivative to me for the purposes of doing maintenace work on this and the other packages I maintain, please contact me directly to discuss. This version is the final release. The location is: ftp://ftp.academ.com/pub/wu-ftpd/wu-ftpd-2.4.2.tar.Z You can also check http://www.academ.com/academ/wu-ftpd for more information. ------------------------------------------------------------------------------- The major fix in this release is to address the problems referred to in CERT Advisory CA-99-03-FTP-Buffer-Overflows. This involved fixes to the real_path subroutine as well as changes in the size of the buffers used when calling this routine. ------------------------------------------------------------------------------ Some changes were made to address some problem compiling on Digital Unix that were provided by Reiner Dassing. As I have no access to this operating system, I can't be sure they do anything useful, but they are there none the less. ------------------------------------------------------------------------------ Jeff Laing provide a fix to help address a precedence problem involving the PORT command. ------------------------------------------------------------------------------ Ian Willis offered a number of fixes. Those are included in this version: o fixed a memory allocation/free problem in acl.o o fixed some remaining problems in the proctitle subroutines o fixed some documentation problems in the manual pages o fixed an off-by-one problem in ftpcount.c o fixed a bug in getaclentry so that previously defined values are not reused o fixed a problem in the receive_data subroutine ------------------------------------------------------------------------------