Fri, 8 Oct 2010

1:35 PM - Security issue

There is a security issue in glob(3) in libc that can lead to remote DOS attacks against ftpd and sftp servers.  This affects many vendors.

I've committed patches to CURRENT and 0.3 branches, but 0.2 has not been patched yet.  I'm still determining what the best approach is there.  If you can't wait,  go to 0.3-PRERELEASE.  

The patch on those branches is based on a patch from DragonFly and NetBSD.  You must build libc as well as sftp and reinstall them then restart ftpd and sftp services.