System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

HP certified newer version of WU-FTP

 
DharmaRao G
Advisor

HP certified newer version of WU-FTP

Hi there,

When is HP likely to release a new certified version of WU-FTP?

Thanks in advance,
D
6 REPLIES
Olivier Masse
Honored Contributor

Re: HP certified newer version of WU-FTP

Even if the release might not be the latest, HP does keep it current as far as security patches go. Development of the open source WU-FTPd has stopped anyway so don't expect new releases in the future except patches.

There are better alternatives such as PureFTPd, ProFTPd, etc which are easier to configure and have more modern features such as virtual users and privilege separation.

In my case I still use the stock HP-UX WU-FTPd for production since I can vouch to my security auditors that "a respectable vendor handles the security patches".

Good luck
Steven E. Protter
Exalted Contributor

Re: HP certified newer version of WU-FTP

Shalom,

HP provides binary updates for security issues to customers with software service contracts.

http://software.hp.com has the latest full version of wu-ftp

I try to keep it updated and use secure shell (same site) whenever possible as a more secur alternative.

Note with wu-ftp: Always disable root ftp access. Not doing so is a major security hazard as ftp authenticates in clear text. Yes it transmits the password in clear text available on any network node and easily read.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Michael Riegler
Occasional Visitor

Re: HP certified newer version of WU-FTP

Oliver,

Does HP state anywhere that the wu-ftp is updated with the latest security patches? Specifically the "WU-FTPD fb_realpath() Off-By-One Buffer Overflow" vulnerability on HP-UX 11.31. (CVE-2003-0466)

Thanks,
Mike
Olivier Masse
Honored Contributor

Re: HP certified newer version of WU-FTP

I might be mistaken, but my impression is that since WU-FTPd is part of the core operating system, HP is required to maintain and release security patches for that product. If Bob is reading this and I'm wrong, I'm sure he'll chip in to correct me.

Many questions arise in the ITRC forums because the stock HP-UX FTP daemon is based on WU-FTPd 2.6.1, while the last official release from the WU-FTPd development group is 2.6.2. From my understanding, what HP does is backport any security patches and add enhancements to their own fork of 2.6.1.

I take it for granted that the open source version of WU-FTPd is now unmaintained as there have been no updates for many years, their mailing lists have fallen silent, and their web site has been down for over a year now.

HP chose it as their stock server to replace the older (BSD/SysV?) ftpd back in 1998 since it was still very popular at the time, with a BSD-like license. It still does the job so they keep it at a statu quo for the time being. But any administrator who takes care of a busy or internet-exposed FTP site will probably want to use something else than WU-FTPd.

For your security issue in particular, there is a security bulletin about it here:
http://www13.itrc.hp.com/service/cki/docDisplay.do?docLocale=en&docId=emr_na-c00951272-3

Thanks
Steven E. Protter
Exalted Contributor

Re: HP certified newer version of WU-FTP

Shalom,

You say:
I might be mistaken, but my impression is that since WU-FTPd is part of the core operating system, HP is required to maintain and release security patches for that product. If Bob is reading this and I'm wrong, I'm sure he'll chip in to correct me.

Response:
You are not wrong. HP provides binary updates to the wu-ftpd server on a regular basis as security holes are found and made public. They are available to customers with a software support contract. They provide new versions on http://software.hp.com when they feel it is appropriate.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Michael Riegler
Occasional Visitor

Re: HP certified newer version of WU-FTP

Thanks for the replies. I was searching around the patch database and found the HP-UX patch equivalency table which shows that the issue is fixed in HP-UX 11.31. The patch PHNE_34544 for the wu-ftpd realpath vulnerability in HP-UX 11.11 is fixed in 11.31.

http://www13.itrc.hp.com/service/patch/document.do?docId=equiv_data1111to1131

PHNE_34544:ftpd(1M) and ftp(1) patch Fixed

Fixed - the defect repairs were integrated into the newer release.


Thanks again,
Mike