Date: Sun, 19 Jan 1997 21:25:58 -0600 (CST) From: wu-ftpd-bugs@academ.com (Stan Barber) To: wu-ftpd@wugate.wustl.edu Subject: Academ version of wu-ftpd 2.4 Release 2 Beta 12 available for testing BETA 12 is now available. It has been tested on the following systems: Solaris 2.4 Sparc and x86, SunOS 4.1.4, FreeBSD 2.1.5-RELEASE, BSD/OS 1.1, BSD/OS 2.1, Unixware 2.1, SCO Open Server 5, Linux I would like to hear from folks with access to HP-UX, Digital Unix, IRIX and AIX in particular. Please send mail to the wu-ftpd-bugs@academ.com address. If hardware companies wish to donate equipment running their proprietary UNIX derivatives to me for doing maintenance work on this and the other packages I maintain (NNTP, RN, etc), please contact me directly to discuss. If software companies that sell UNIX derivatives I don't to which I don't have access wish to donain copies of their UNIX derivative to me for the purposes of doing maintenace work on this and the other packages I maintain, please contact me directly to discuss. I wish to offer my thanks to SCO for making available their OS software for my testing of this release. Additionally, their support in documenting problems in the software has been very helpful. Additionally, I received some bug reports from the FreeBSD project for which I am grateful. Finally, both The AUS-CERT and the CERT/CC have continued to provide me with feedback on the security issues with this software. This is another release candidate. The location is: ftp://ftp.academ.com/pub/wu-ftpd/private/wu-ftpd-2.4.2-beta-12.tar.Z NOTE: This directory is protected. Attempts to use a directory listing command will fail. -0-FIXES IN THIS RELEASE-0- Ticket Numbers 18, 20, 29, 31, 43, 46, 47, 50, 52, 59, 77, 92, 102, 107, 115, 118, 119, 124, 132, 134, and 137: Linix 2.0 (actually libc 5.3.12) changed the way that directory manupulation was done. This was reported by many folks: root@kirk.vossnet.de,thogard@not.abnormal.com,root@startrek.in-trier.de, babina@pex.net,mding@hcia.com,rog@therion.lamc.utexas.edu,icculus@visi.net, tundra@nnenews.com,sohos@enviro-eng.com,fmouse@fmp.com,c15o@zfn.uni-bremen.de, 100326.567@CompuServe.COM,JWHITFIELD@wwcc.cc.wy.us,sgarrett@technomancer.com, sullivan@odysseus.gonzaga.pvt.k12.dc.us,root@internexus.net,mahadi@mtk.kpm.my, logic@shell.break.com.au,bat@xdiv.lanl.gov,aaron@onr.com,crosser@average.org The problem was that glob.c would not compline on Linux 2.X systems. The fix was one suggested by crosser@average.org along with some work by me to insure that Linux 1.X users would still be able to use this on their systems. ------------------------------------------------------------------------------- Ticket Numbers 19 from ronald@demon.net pointed out a bug in processing "SITE CHMOD 0". The command didn't work and the server didn't give a reply. His fix is incorporated in this release. ------------------------------------------------------------------------------- Ticket 28 from james@corp.netcom.net.uk and Ticket 105 from ianw@sco.com noted that there were some instances in ftpcmd.y where values could be NULL. This would cause segmentation violations on may flavors of Unix. Ian's bug fixes were incorporated into this release. ------------------------------------------------------------------------------- Ticket 49 from cfuga@colossus.rhon.itam.mx provided configuration files for Digital Unix 3.2 with C2 Security. This is now integrated into this release. ------------------------------------------------------------------------------- Ticket 55 from claude@infobiogen.fr pointed out that Solaris 2.X does support getrlimit. He suggested that a change be made to config.sol to make use of that. This release does make that change. ------------------------------------------------------------------------------- Ticket 57 from ianw@sco.com offered some adjustments for making better use of available library routines in Unixware 2.1. This release has made some of the adjustments he suggested. ------------------------------------------------------------------------------- Ticket 60 from ianw@sco.com pointed out errors in the ftpd.8 manual page. The suggested changes have been made in this release. ------------------------------------------------------------------------------- Ticket 61 from noid@cyborg.larc.nasa.gov pointed out that when a null is sent to the server, it should ignore it and it is treating it like EOF. Now it ignores it. Fix from noid@cyborg.larc.nasa.gov was used. ------------------------------------------------------------------------------- Ticket 62 from ianw@sco.com noted a type on one of the URLs in the NOTES file. This is fixed in this release. He also suggested that having the debug mode log passwords is not good. He provided a fix for this and it is also in this release. ------------------------------------------------------------------------------- Ticket 65 from ianw@sco.com noted that subsequent files upload requests can't be restarted correctly. He provided a fix for this and it is in this release. ------------------------------------------------------------------------------- Ticket 67 from ianw@sco.com noted RFC 1127's suggestions are not being followed by this server and that STAT is using a 211 response when a 213 is probably better. Those changed are in this release. ------------------------------------------------------------------------------- Ticket 70 from ianw@sco.com pointed out a possible overflow problem when processing the SITE CHMOD and SITE UMASK commands. The server did not check for overflow conditions. His fix is incorporated in this release. ------------------------------------------------------------------------------- Ticket 72 from ianw@sco.com noted that subsequent files requests can't be aborted correctly. He provided a fix for this and it is in this release. ------------------------------------------------------------------------------- Ticket 75 from the AUSCERT brought to my attention a need to check to be sure the 100 element argv array in the popen subroutine is not overflowed. This is now done. The other problem reported had been fixed in previous releases. ------------------------------------------------------------------------------- Ticket 76 from ianw@sco.com noted stderr output from ftpd when being started by inetd were problematical. Theses error messages now go to syslog. ------------------------------------------------------------------------------- Ticket 79 from ianw@sco.com noted that Unixware 2.1 supports getrlimit. So, this is now added to config.uxw in the src/config directory. ------------------------------------------------------------------------------- Ticket 80 from ianw@sco.com noted that fnmatch.c did not have the right flags defined correctly. This is now fixed in this release ------------------------------------------------------------------------------- Ticket 81 from ianw@sco.com noted some typos in the manual pages. The suggested changes have been made for this release. ------------------------------------------------------------------------------- Ticket 83 from ianw@sco.com noted some macro inconsistency in the manual pages. The suggested changes have been made for this release. ------------------------------------------------------------------------------- Ticket 85 from ianw@sco.com pointed out places where files could or should be closed. The suggested changes have been made for this release. ------------------------------------------------------------------------------- Ticket 86 from ianw@sco.com suggests that the ftpgroups and ftpconversions file checks in conversions.c and acl.c should be done using an fstat after an open succeeds. The suggested changes have been made for this release. ------------------------------------------------------------------------------- Ticket 87 from ianw@sco.com offers fixes the basic problems introduced in beta-11 with the virtual host code. There have been no changes in how the configuration files are configured. ------------------------------------------------------------------------------- Ticket 97 from alexis@dawn.ww.net pointed out a problem in the old virtual code where an illegal strcpy was being done. This was fixed with the patches in ticket 87. ------------------------------------------------------------------------------- Ticket 98 from ianw@sco.com points out a bug introduced in the academ betas with the T_ASCII flag in ftpconversions. Its meaning had become reverse from what it used to be. This is now fixed. ------------------------------------------------------------------------------- Ticket 100 from ianw@sco.com points out a mispelling in the notes file and suggests a fix so that "anonymous" and "ftp" are made to be the same as far as the server is concerned. This is included in this release. ------------------------------------------------------------------------------- Ticket 103 from richard@atheist.tamu.edu offered some support files to make it possible to build wu-ftpd on AU/X 3.0 and later. This is included in this release ------------------------------------------------------------------------------- Ticket 106 from ianw@sco.com offers changes to ftpcmd.y to insure that free() is called when the arguments are non-null. These fixes are included in this release. ------------------------------------------------------------------------------- Ticket 108 from ianw@sco.com reports a bug in how the ftw.h file in the support directory gets included when it shouldn't be for Unixware 2.1. This fix is included in this release. ------------------------------------------------------------------------------- Ticket 109 from ianw@sco.com reports a bug in how the shutdown feature works. The bug is that new connections may continue to be accepted after shutdown is in force. The suggested fixes have been included in this release. ------------------------------------------------------------------------------- Ticket 110 from ianw@sco.com suggests that all filename checking should be case sensitive. I agree. Fixes to make that so are now included in this release. ------------------------------------------------------------------------------- Ticket 111 from ianw@sco.com reports a bug in how ftpcount reports classes that can have an unlimited number of users. The suggested fixes have been included in this release. ------------------------------------------------------------------------------- Ticket 113 from ianw@sco.com suggests that ftpd should use getopt and I agree. The suggested fixes are included in this release. ------------------------------------------------------------------------------- Ticket 117 from ianw@sco.com pointed out two bugs in the build program which are now fixed. It also pointed out an inconsistent use of #if verus #ifdef in authenticate.c. This is also fixed. ------------------------------------------------------------------------------- Ticket 120 from ianw@sco.com pointed an inconsistency between the documentation and how the server logs information. The server has been fixed to document guest users in the xferlog with a "g" and real users with a "r". ------------------------------------------------------------------------------- Ticket 130 from ianw@sco.com pointed a number of problems with upload and offered fixes for these problems. They have been included in this release. ------------------------------------------------------------------------------- Ticket 131 from ianw@sco.com suggested that the readme directive should really only apply to regular files. Suggested fixes included in this release. ------------------------------------------------------------------------------- Ticket 133 from ianw@sco.com provides a fix to permit bad autogroup entries in the ftpaccess file to be ignored. Suggested fixes included in this release. ------------------------------------------------------------------------------- Ticket 139 from dg@root.com provides a significant security fix without which regular and anonymous users could access files as the root user. This fix is included in this release. ------------------------------------------------------------------------------- Ticket 146 from alden@math.ohio-state.edu offers a fix to the virtual host code that permits guest groups to continue to work. This fix is included in this release. ------------------------------------------------------------------------------- Ticket 152 from security@kinch.ark.com provided additional protection for some operating system over the protection provided in ticket 139. This is included in this release, but has only been tested on the operating systems listed in the ANNOUNCE-12 file. ------------------------------------------------------------------------------- Ticket 152 from perry@news.IAEhv.nl suggested the the FreeBSD configuration not install the sample configuration files over previously existing ones. This release does not install them at all. A new approach will be used in release 2.5 of this software that will address this for all OSes supported. ------------------------------------------------------------------------------- A message on the mailing list from May 2, 1996 by eilon@aristo.tau.ac.il suggested a mechanism to permit AIX hosts to make effective use of the virtual host feature in wu-ftpd. This mechanism has been included in this release. ------------------------------------------------------------------------------- A message to the mailing list from August 12, 1996 by schoepf@uni-mainz.de suggested some changes to ftpcount.c to make it return more useful information when used with Solaris2 and AIX. Those changes are includedi in this release. ------------------------------------------------------------------------------- A message to the mailting list send January 13, 1997 by Anders.X.Thulin@telia.se suggested that the use of putchar in ftpd.c and ftpcmd.y might have side effects on arguement lists when putchar is a macro. The use of putchar has been changed to putc in these files for this release.