1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
|
1.3.0 Release Notes
------------------------
This file contains a description of the major changes to ProFTPD for the
1.3.0 release cycle, from the 1.3.0rc1 release to the 1.3.0-stable release.
More information on these changes can be found in the NEWS and ChangeLog
files.
1.3.0rc5
--------
+ Bugfixes:
Fixed handling of CPPFLAGS and LDFLAGS settings with regards to
the --with-includes and --with-libraries configure options.
Fixed handling of REST commands using negative numbers.
Worked around glibc-2.3 issues with looking up timezone information
when the process has been chrooted.
Fixed hanging of daemon processes on Mac OS X when shutting down.
1.3.0rc4
--------
+ Bugfixes:
Mac OSX portability tweak.
Fixed run-time detection of Unix domain sockets.
Updated mod_ldap module.
NetBSD and Solaris logging improvements.
+ New documentation:
doc/howto/AuthFiles.html
doc/howto/Quotas.html
1.3.0rc3
---------
+ Bugfixes:
Miscellaneous SIGHUP fixes to the mod_ctrls and mod_tls modules.
Limits higher than 255 set via the ListOptions directive are now
properly honored.
Using the --disable-ipv6 configure option no longer improperly
enables IPv6 support.
Better handling of the SSL session shutdown sequence in mod_tls.
Miscellaneous tweaks to mod_facl and the FSIO API in order to
better handle POSIX ACLs.
+ New documentation:
doc/howto/Regex.html
1.3.0rc2
---------
+ Bugfixes:
sean <infamous42md at hotpop.com> found two format string vulnerabilities,
one in mod_sql's SQLShowInfo directive, and one involving the 'ftpshut'
utility. Both can be considered low risk, as they require active
involvement on the part of the site administrator in order to be
exploited:
Using 'ftpshut', the administrator has the ability to configure a
shutdown message, which will be displayed to connecting clients. This
message can make use of several variables. *If* a variable such as
%C (current working directory) is used in that shutdown message, and
an attacker is aware of this, the attacker can create a directory using
an FTP client, and give the directory a name such that the %C variable
discloses information that should not be available (i.e. contents of
data in nearby buffers). To prevent this scenario, administrators
who use 'ftpshut' should avoid using the %C, %R, and %U variables.
If the configuration uses the SQLShowInfo directive provided by
mod_sql. This directive can be used to add information from the SQL
tables to response messages sent to the client. If misconfigured by the
site administrator (by using data from tables into which a user
can insert arbitrary strings), data pulled from the SQL tables could be
used in such a way as to attempt to use a malicious format string in
the returned message. To prevent this, do not use SQLShowInfo.
Both vulnerabilities are fixed in this 1.3.0rc2 release.
+ Module enhancements:
mod_ctrls_admin
New 'dns' control action, for setting UseReverseDNS configuration
at runtime.
mod_delay
Many improvements made to improve stability.
mod_sql_mysql
The mod_sql_mysql module now handles the old MySQL password format
more gracefully. Starting with MySQL 4.1.1, the format for passwords
stored using the MySQL PASSWORD() function changed. This format change
causes issues for sites that have passwords stored in the older format.
Sites that run mod_sql+mod_sql_mysql would see this as users being
unable to login. Now, if compiled against MySQL 4.1.1 or later,
mod_sql_mysql will first check the password using the current MySQL
format; if that fails it will fall back to checking the old format.
Note that this only affects sites which have the "Backend" type in
their SQLAuthTypes directive.
+ New documentation:
doc/howto/DNS.html
doc/howto/VirtualUsers.html
1.3.0rc1
---------
+ New configuration directives:
MaxConnectionsPerHost
Similar to MaxClientsPerHost, the administrator can configure
the maximum number of connected clients from a single host at
one time. Unlike MaxClientsPerHost, though, the
MaxConnectionsPerHost limit is evaluated prior to authentication,
i.e. before the client has sent any USER and PASS commands.
SQLBackend
mod_sql now supports a SQLBackend configuration directive, for
selecting the specific database backend module to use on a per-vhost
basis. Previously, mod_sql could only be compiled with one
backend module at a time; the module has been enhanced to support
multiple backend modules. Since multiple backends are now
possible, SQLBackend was added so that the administrator could
specify which to use. If only one backend module is used,
e.g. mod_sql_mysql, then that backend is used by default, and
no SQLBackend directive is required.
SQLEngine
mod_sql supports a new SQLEngine directive. This directive can
be used to configure mod_sql to only be used for authentication,
or only for logging, or for both. It is also used to create
an <Anonymous> section that does not use mod_sql for lookups,
but still have mod_sql used for non-anonymous users.
UseSendfile
ProFTPD now automatically checks for sendfile support, and uses
it if present. The UseSendfile directive can be used to configure
proftpd not to use the sendfile() function if necessary.
Note that if sendfile support is enabled, tools like ftpwho and
ftptop will not show the transfer rate for downloads. These tools
work by reading the scoreboard, and the scoreboard is updated
periodically during uploads and downloads. However, when
sendfile() is used, the scoreboard does not have a chance to be
updated. This is only true for downloads; the tools will continue
to show the transfer rate for uploads.
+ Enhanced configuration directives:
ExtendedLog
There is a new logging class, SEC (short for "SECURE").
This logging class captures RFC2228-related security FTP commands.
ListOptions
The -S list option, for listing files sorted by file size, has
been added.
+ New command-line options:
The new -V and --settings command-line options display various
compile-time settings of the compiled proftpd binary.
+ New configure options:
--enable-dso
This configure option enables DSO support in the compiled proftpd,
and causes the mod_dso module to be compiled in. See the
README.DSO and doc/howto/DSO.html files for details.
--enable-facl
This configuration option enables support for POSIX ACLs, on
systems that support them, in the compiled proftpd. See the
README.facl file for more information.
+ New modules:
mod_delay
There is the possibility of a timing attack on proftpd, leading
to discovery of valid user names (Bug #2480). This module was
added to mitigate this timing attack; see doc/modules/mod_delay.html
for more information.
mod_dso
This module handles the dynamic loading and unloading of shared
modules from the running proftpd server. Note that this module
requires the --enable-dso configure option to be used when compiling
proftpd. See README.DSO for more information on shared modules.
The doc/modules/mod_dso.html file contains documentation for this
module.
mod_facl
This module uses the FSIO API to provide checking of file
permissions that use POSIX ACLs. The --enable-facl configure
option must be used when compiling proftpd for this module to
be used. See the README.facl file for more information.
mod_load
This module provides the ability to deny a connection if the
system load is above a configurable limit; useful for imposing
resource restrictions. The doc/contrib/mod_load.html file
contains documentation for this module.
+ Enhanced modules:
mod_ldap
The mod_ldap module has been updated to version 2.8.15.
mod_quotatab
The mod_quotatab module now supports enforcing hard limits at
the filesystem level. This means that if the quota limit is
a hard limit, and a client exceeds that limit, the upload
will fail. Previously, the upload would succeed, but the file
would be automatically deleted.
mod_tls
The mod_tls module now supports the CCC FTP command, which can
be used by FTPS clients to secure data transfers with FTPS
servers in a firewalled environment.
+ New Display variables:
%{total_bytes_in}
%{total_bytes_out}
%{total_bytes_xfer}
%{total_files_in}
%{total_files_out}
%{total_files_xfer}
These new Display variables use the new variable syntax;
see doc/howto/DisplayFiles.html for details.
+ Deprecated configuration directives:
Bind
The Bind directive was causing too much confusion, and did not
do as many system administrators assumed it. Rather than using
Bind to associate a server configuration with an IP address,
administrators would assume it was meant for making ProFTPD
bind to a single address.
Rather than having a configuration like this:
<VirtualHost host1.domain.com>
Bind host2.domain.com
...
</VirtualHost>
The <VirtualHost> and DefaultAddress directives can now handle
multiple addresses, so that the above configuration becomes:
<VirtualHost host1.domain.com host2.domain.com>
...
</VirtualHost>
Last Updated: $Date: 2006/03/18 20:13:49 $
|
