Release: ginseng-ftpd v1.6 Date : September 6, 2001 By : Matthew Mondor * Bugfix - If not using a read-only account, and no user home directory size limit was set, it was impossible to create a new directory. Thanks to Patrick K and to Steven Crim for pointing that out * Cleanup - Source code was generally cleaned up to be more readable. - Added a comment before the treesize() function about alloca(), because of the various "unfreed memory" messages (-: Release: ginseng-ftpd v1.5 Date : April 17, 2001 By : Matthew Mondor * Minor fix to compile with glibc 2.2 - SA_LEN macro was no longer defined. Now defined it if needed. Release: ginseng-ftpd v1.4 Date : March 17, 2001 By : Matthew Mondor * Security enhancement - Added sanity checking to prevent LIST/NLST recursing using patterns as ls /*/*/../../*/*/../../*/*/../../*/*/../../*/* Most ls implementations are vulnerable to this, uncluding most BSD ls and GNU ls. ginseng-ftpd's internal ls is now fixed against that. Many other ftpds are vulnerable. This sanity checking had to be placed before glob() and fts_open() calls. Also removed support for -R * Other - It was impossible to tell ftpd to not resolve hostnames, probably since support for tcp-wrappers (libwrap) was added. This is now fixed, using the -n command switch will cause ftpd to not resolve any hostnames. If that switch is used with libwrap/tcpwrappers it is recommended to not use -n. For high load servers, use -D and -n, without inetd/xinetd Release: ginseng-ftpd v1.3 Date : Febuary 17, 2001 By : Matthew Mondor * New feature - Added new -p command-line option to specify the port ftpd should run on * Bug fix - Fixed a possible bug which could have considered a blank line with spaces in /etc/ftpusers as an actual line * Security enhancement - Will no longer accept to run if not started by the superuser, as the ftpd daemon has to be launched by root to work properly anyways Release: ginseng-ftpd v1.2 Date : Febuary 1, 2001 By : Matthew Mondor * First public release - Was modified from linux port of bsd-ftpd, which was taken from OpenBSD 2.8, which in turn was taken from NetBSD 1.5 ftpd. * Changes - Fixed the single-byte vulnerability bug - Added some sanity checking around seteuid() and setegid() calls - Added additional error checking in the main accept() loop - Modified the way /etc/ftpusers works to a better system, also making /etc/ftpchroot obsolete, a single file is used for accounts permissions - Implemented home dir size limits - Implemented read-only accounts - Implemented optionnal PASV, LPSV and EPSV address masquerading to 0 (using mmtcpfwd instead for this is recommended) - Each user can have a specific assigned umask (file creation permissions mask) and can optionally be locked with it, also preventing chmod - Users need to be specified in /etc/ftpusers to be allowed any access