HPE Community
Operating System - HP-UX
1753834 Members
7956 Online
108806 Solutions
New Discussion юеВ

Re: FTP upgrade

 
SOLVED
Go to solution
Cristian Ramirez V._1
Occasional Contributor

тАО04-30-2004 08:37 AM

тАО04-30-2004 08:37 AM

FTP upgrade


Hello everyone,
I have hpux 11.00, and a security report (by nessus) is saying that I have to upgrade my ftpd version. I don't know if such a thing exists. Could anybody tell me if I may upgrade only my ftp version and not my entire unix system ??, and, if it is possible, then how to??
Thanks in advance to all.

Cristian.
0 Kudos
Reply
8 REPLIES 8
A. Clay Stephenson
Acclaimed Contributor

тАО04-30-2004 08:44 AM

тАО04-30-2004 08:44 AM

Re: FTP upgrade

It would really help if you identified your current version and what the reccomended version is -- or at least what the deficiecies in your current version are.

In any event, you do not have to update the OS. Go the the ITRC Patch Database -> HP-UX Patches -> 11.0 and enter "ftpd" as a search string. Download and swinstall them.

Plan B. Install this version from the HP-UX Porting Centre:

http://hpux.connect.org.uk/hppd/hpux/Networking/FTP/pure_ftpd-1.0.8/
If it ain't broke, I can fix that.
0 Kudos
Reply
Cristian Ramirez V._1
Occasional Contributor

тАО04-30-2004 09:00 AM

тАО04-30-2004 09:00 AM

Re: FTP upgrade


Hello,
First at all, thanks for your quick answer. Well, yes, I checked for patches, but there is just one and it fixes a "ls" problem, so, it is no a security bug, in fact, HP says that there is no any security problem. But the people of the report insisted in upgrading ftp, action that I completely unknow (besides patching).

Cheers,
Cristian.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО04-30-2004 09:04 AM

тАО04-30-2004 09:04 AM

Re: FTP upgrade

In that case, install the version from the HP-UX Porting Centre and update the line in inetd.conf and declare victory.
If it ain't broke, I can fix that.
0 Kudos
Reply
Navin Bhat_2
Trusted Contributor

тАО04-30-2004 09:05 AM

тАО04-30-2004 09:05 AM

Re: FTP upgrade

Use this URL to help you solve relevant security concerns ftpd etc...

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-30-2004 09:09 AM

тАО04-30-2004 09:09 AM

Re: FTP upgrade

With regards to ftp, the protocol has one fatal flaw. Authentication is in clear text.

If you really want to make your security auditors happy, stop using it in favor of secure ftp from secure shell.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

Another helpful hint is to limit what hosts can use ftp if you have to use it. /var/adm/inetd.sec

example attached.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Navin Bhat_2
Trusted Contributor

тАО04-30-2004 09:24 AM

тАО04-30-2004 09:24 AM

Solution

Re: FTP upgrade

According to the security bulletin Matrix slightly unreadable but you need to install PHNE_29460. Hope it helps.

Security Bulletin 162: Security Vulnerability in ftpd and ftp (rev.01)

Current Original
-------------------- --------------------
s300 8.00: None s300 8.00: None
s300 9.00: None s300 9.00: None
s300 9.03: None s300 9.03: None
s300 9.10: None s300 9.10: None
s700 8.05: None s700 8.05: None
s700 8.07: None s700 8.07: None
s700 9.01: None s700 9.01: None
s700 9.03: None s700 9.03: None
s700 9.05: None s700 9.05: None
s700 9.07: None s700 9.07: None
s700 9.09: None s700 9.09: None
s700 10.00: None s700 10.00: None
s700 10.01: [PHNE_23947/pachrdme/english] s700 10.01: [PHNE_23947/pachrdme/english]
s700 10.09: None s700 10.09: None
s700 10.10: [PHNE_23947/pachrdme/english] s700 10.10: [PHNE_23947/pachrdme/english]
s700 10.16: None s700 10.16: None
s700 10.20: [PHNE_23948/pachrdme/english] s700 10.20: [PHNE_23948/pachrdme/english]
s700 10.24: [PHNE_25894/pachrdme/english] s700 10.24: [PHNE_24394/pachrdme/english]
s700 10.26: None s700 10.26: None
s700 10.30: None s700 10.30: None
s700 11.00: [PHNE_29460/pachrdme/english] s700 11.00: [PHNE_23949/pachrdme/english]
s700 11.04: [PHNE_24395/pachrdme/english] s700 11.04: [PHNE_24395/pachrdme/english]
s700 11.10: None s700 11.10: None
s700 11.11: [PHNE_29461/pachrdme/english] s700 11.11: [PHNE_23950/pachrdme/english]
s700 11.20: None s700 11.20: None
s700 11.22: None s700 11.22: None
s700 11.23: None s700 11.23: None
s800 8.00: None s800 8.00: None
s800 8.02: None s800 8.02: None
s800 8.06: None s800 8.06: None
s800 9.00: None s800 9.00: None
s800 9.04: None s800 9.04: None
s800 9.08: None s800 9.08: None
s800 10.00: None s800 10.00: None
s800 10.01: [PHNE_23947/pachrdme/english] s800 10.01: [PHNE_23947/pachrdme/english]
s800 10.09: None s800 10.09: None
s800 10.10: [PHNE_23947/pachrdme/english] s800 10.10: [PHNE_23947/pachrdme/english]
s800 10.16: None s800 10.16: None
s800 10.20: [PHNE_23948/pachrdme/english] s800 10.20: [PHNE_23948/pachrdme/english]
s800 10.24: [PHNE_25894/pachrdme/english] s800 10.24: [PHNE_24394/pachrdme/english]
s800 10.26: None s800 10.26: None
s800 10.30: None s800 10.30: None
s800 11.00: [PHNE_29460/pachrdme/english] s800 11.00: [PHNE_23949/pachrdme/english]
s800 11.04: [PHNE_24395/pachrdme/english] s800 11.04: [PHNE_24395/pachrdme/english]
s800 11.10: None s800 11.10: None
s800 11.11: [PHNE_29461/pachrdme/english] s800 11.11: [PHNE_23950/pachrdme/english]
s800 11.20: None s800 11.20: None
s800 11.22: None s800 11.22: None
s800 11.23: None s800 11.23: None
Reply
Cristian Ramirez V._1
Occasional Contributor

тАО04-30-2004 09:56 AM

тАО04-30-2004 09:56 AM

Re: FTP upgrade

Thank you all for answering so quickly.
Concerning my question, just two comments, I cannot use ssh (in the meantime) and then sftp: APPLICATIONS !!!!, and that patch PHNE_29460 fixes a "ls" issue.

Thanks, I really apreciate your help.



0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО04-30-2004 01:28 PM

тАО04-30-2004 01:28 PM

Re: FTP upgrade

If Nessus fails to provide any background for the recommendation, I would simply run the security_patch_checker and bring your system up to date. If more details are needed, get the Nessus source code and track down the test(s) that generated the message.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.