[news.sysadmin] The FTPD example

weemba@garnet.berkeley.edu (Obnoxious Math Grad Student) (11/11/88)

In article <27203@tut.cis.ohio-state.edu>, karl@triceratops (Karl Kleinpaste) writes:
>I submit as an example, yet again, the recent discovery of a security
>hole in ftpd.

I've not seen anyone post an explicit description of the FTPD bug, for
what I suspect is the following scenario:

	Those sysadmins who run anon FTP installed the fix, but
	a goodly number of others didn't.  Which could be serious
	when such a site decides to run anon FTP later on.

In contrast, the SENDMAIL bug has been described exactly, because I
think the general feeling is that no one left this unpatched--which
just might be true on the ARPANET, but is probably false elsewhere.

And the FTPD bug is much more serious.  So I simply don't have the
same confidence that you do when you write:

>The system works when given a decent chance to try to work.

It hasn't worked if those sysadmins not directly affected don't realize
that they have to act as if they were so affected.  Did everyone patch
their news software when the white-space-in-message-IDs bug was dis-
covered?  Or mostly just those hit by it?  Will we find out the hard
way when line noise hits a sendsys?  Ugh.

And besides, why was the SENDMAIL bug left open for so long?

You all have heard the current FTPD bug fix started with RTM himself
acting responsibly?  Ironic, no?  Not that I know what it means....

ucbvax!garnet!weemba	Matthew P Wiener/Brahms Gang/Berkeley CA 94720