[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ProFTP 1.2.0pre4 patch in CVS tree (terminates on signal 11)

> Chris Cappuccio <chris@dqc.org> wrote:
> > Unless you really need a feature provided by ProFTPD that isn't provided by
> > OpenBSD's ftpd (see the ftpd man page for a list of these), you are better
> > off going with the OpenBSD ftpd, as it has been audited for security!  The
> > recent problems with ProFTPD show that it has not received any such auditing.
> Personally I am absolutely appalled by ProFTPd, which as far as I am aware
> is a *new* project written entirely from scratch. There is absolutely no
> excuse for trivial buffer overruns in a new project, and the fact that
> it has had repeated trivial security holes for me makes the entire project
> a total waste of time.

And I warn everyone -- it's going to happen again....  they are still not
proactive, and they still don't know how to even use strncpy()...