topic Re: FTP upgrade in Operating System - HP-UX

FTP upgrade

Cristian Ramirez V._1 — Fri, 30 Apr 2004 15:37:20 GMT

Hello everyone,
I have hpux 11.00, and a security report (by nessus) is saying that I have to upgrade my ftpd version. I don't know if such a thing exists. Could anybody tell me if I may upgrade only my ftp version and not my entire unix system ??, and, if it is possible, then how to??
Thanks in advance to all.

Cristian.

Re: FTP upgrade

A. Clay Stephenson — Fri, 30 Apr 2004 15:44:49 GMT

It would really help if you identified your current version and what the reccomended version is -- or at least what the deficiecies in your current version are.

In any event, you do not have to update the OS. Go the the ITRC Patch Database -> HP-UX Patches -> 11.0 and enter "ftpd" as a search string. Download and swinstall them.

Plan B. Install this version from the HP-UX Porting Centre:

http://hpux.connect.org.uk/hppd/hpux/Networking/FTP/pure_ftpd-1.0.8/

Re: FTP upgrade

Cristian Ramirez V._1 — Fri, 30 Apr 2004 16:00:31 GMT

Hello,
First at all, thanks for your quick answer. Well, yes, I checked for patches, but there is just one and it fixes a "ls" problem, so, it is no a security bug, in fact, HP says that there is no any security problem. But the people of the report insisted in upgrading ftp, action that I completely unknow (besides patching).

Cheers,
Cristian.

Re: FTP upgrade

A. Clay Stephenson — Fri, 30 Apr 2004 16:04:23 GMT

In that case, install the version from the HP-UX Porting Centre and update the line in inetd.conf and declare victory.

Re: FTP upgrade

Navin Bhat_2 — Fri, 30 Apr 2004 16:05:02 GMT

Use this URL to help you solve relevant security concerns ftpd etc...

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA

Re: FTP upgrade

Steven E. Protter — Fri, 30 Apr 2004 16:09:17 GMT

With regards to ftp, the protocol has one fatal flaw. Authentication is in clear text.

If you really want to make your security auditors happy, stop using it in favor of secure ftp from secure shell.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

Another helpful hint is to limit what hosts can use ftp if you have to use it. /var/adm/inetd.sec

example attached.

SEP

Re: FTP upgrade

Navin Bhat_2 — Fri, 30 Apr 2004 16:24:33 GMT

According to the security bulletin Matrix slightly unreadable but you need to install PHNE_29460. Hope it helps.

Security Bulletin 162: Security Vulnerability in ftpd and ftp (rev.01)

Current Original
-------------------- --------------------
s300 8.00: None s300 8.00: None
s300 9.00: None s300 9.00: None
s300 9.03: None s300 9.03: None
s300 9.10: None s300 9.10: None
s700 8.05: None s700 8.05: None
s700 8.07: None s700 8.07: None
s700 9.01: None s700 9.01: None
s700 9.03: None s700 9.03: None
s700 9.05: None s700 9.05: None
s700 9.07: None s700 9.07: None
s700 9.09: None s700 9.09: None
s700 10.00: None s700 10.00: None
s700 10.01: [PHNE_23947/pachrdme/english] s700 10.01: [PHNE_23947/pachrdme/english]
s700 10.09: None s700 10.09: None
s700 10.10: [PHNE_23947/pachrdme/english] s700 10.10: [PHNE_23947/pachrdme/english]
s700 10.16: None s700 10.16: None
s700 10.20: [PHNE_23948/pachrdme/english] s700 10.20: [PHNE_23948/pachrdme/english]
s700 10.24: [PHNE_25894/pachrdme/english] s700 10.24: [PHNE_24394/pachrdme/english]
s700 10.26: None s700 10.26: None
s700 10.30: None s700 10.30: None
s700 11.00: [PHNE_29460/pachrdme/english] s700 11.00: [PHNE_23949/pachrdme/english]
s700 11.04: [PHNE_24395/pachrdme/english] s700 11.04: [PHNE_24395/pachrdme/english]
s700 11.10: None s700 11.10: None
s700 11.11: [PHNE_29461/pachrdme/english] s700 11.11: [PHNE_23950/pachrdme/english]
s700 11.20: None s700 11.20: None
s700 11.22: None s700 11.22: None
s700 11.23: None s700 11.23: None
s800 8.00: None s800 8.00: None
s800 8.02: None s800 8.02: None
s800 8.06: None s800 8.06: None
s800 9.00: None s800 9.00: None
s800 9.04: None s800 9.04: None
s800 9.08: None s800 9.08: None
s800 10.00: None s800 10.00: None
s800 10.01: [PHNE_23947/pachrdme/english] s800 10.01: [PHNE_23947/pachrdme/english]
s800 10.09: None s800 10.09: None
s800 10.10: [PHNE_23947/pachrdme/english] s800 10.10: [PHNE_23947/pachrdme/english]
s800 10.16: None s800 10.16: None
s800 10.20: [PHNE_23948/pachrdme/english] s800 10.20: [PHNE_23948/pachrdme/english]
s800 10.24: [PHNE_25894/pachrdme/english] s800 10.24: [PHNE_24394/pachrdme/english]
s800 10.26: None s800 10.26: None
s800 10.30: None s800 10.30: None
s800 11.00: [PHNE_29460/pachrdme/english] s800 11.00: [PHNE_23949/pachrdme/english]
s800 11.04: [PHNE_24395/pachrdme/english] s800 11.04: [PHNE_24395/pachrdme/english]
s800 11.10: None s800 11.10: None
s800 11.11: [PHNE_29461/pachrdme/english] s800 11.11: [PHNE_23950/pachrdme/english]
s800 11.20: None s800 11.20: None
s800 11.22: None s800 11.22: None
s800 11.23: None s800 11.23: None

Re: FTP upgrade

Cristian Ramirez V._1 — Fri, 30 Apr 2004 16:56:41 GMT

Thank you all for answering so quickly.
Concerning my question, just two comments, I cannot use ssh (in the meantime) and then sftp: APPLICATIONS !!!!, and that patch PHNE_29460 fixes a "ls" issue.

Thanks, I really apreciate your help.

Re: FTP upgrade

Bill Hassell — Fri, 30 Apr 2004 20:28:01 GMT

If Nessus fails to provide any background for the recommendation, I would simply run the security_patch_checker and bring your system up to date. If more details are needed, get the Nessus source code and track down the test(s) that generated the message.