From nobody@FreeBSD.org  Thu Jul 18 23:13:32 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 08F6F37B400
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Jul 2002 23:13:32 -0700 (PDT)
Received: from www.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C4F7343E4A
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Jul 2002 23:13:31 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.4/8.12.4) with ESMTP id g6J6DVOT085066
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Jul 2002 23:13:31 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.4/8.12.4/Submit) id g6J6DVV4085065;
	Thu, 18 Jul 2002 23:13:31 -0700 (PDT)
Message-Id: <200207190613.g6J6DVV4085065@www.freebsd.org>
Date: Thu, 18 Jul 2002 23:13:31 -0700 (PDT)
From: Caitlen <aeonflux@trioptimum.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: insecure default options
X-Send-Pr-Version: www-1.0

>Number:         40756
>Category:       ports
>Synopsis:       insecure default options
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 18 23:20:01 PDT 2002
>Closed-Date:    Mon Sep 08 05:35:01 PDT 2003
>Last-Modified:  Mon Sep 08 05:35:01 PDT 2003
>Originator:     Caitlen
>Release:        4.6, current cvsup ports collection
>Organization:
none
>Environment:
4.6-p3 release
>Description:
the port pure-ftpd is setup with an insecure default.
Makefile's configuration arguments do not include "--without-banner", so in effect the systems status is given away every time someone remotely connects to the machine.  by default the banner in pure-ftpd gives away a great deal too much information.
>How-To-Repeat:
install pure-ftpd, run pure-ftpd, telnet to localhost 22
>Fix:
Compile pure-ftpd with --without-banner in the ./configure option.  You can do this by modifying the Makefile's configuration arguments parameter.
>Release-Note:
>Audit-Trail:

From: Pete Fritchman <petef@absolutbsd.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc: j@pureftpd.org
Subject: Re: ports/40756: insecure default options
Date: Sun, 11 May 2003 11:14:40 -0500

 What does the maintainer think of this PR?
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/40756

From: Jedi/Sector One <j@pureftpd.org>
To: Pete Fritchman <petef@absolutbsd.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: ports/40756: insecure default options
Date: Sun, 11 May 2003 21:05:26 +0200

 On Sun, May 11, 2003 at 11:14:40AM -0500, Pete Fritchman wrote:
 > What does the maintainer think of this PR?
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/40756
 
   By defaut, the banner shows the number of connected users, the max
 allowed number of users, the local time, the load, and the max idle
 time before being disconnected.
   I don't see anything "insecure" there, just informative and more
 useful that it hurts.
   There's a compile --with-boring option for people who prefer minimal
 things, we could add this as a port option.
 
 -- 
  __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
  \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
   \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/

From: Pete Fritchman <petef@absolutbsd.org>
To: Jedi/Sector One <j@pureftpd.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: ports/40756: insecure default options
Date: Sun, 11 May 2003 20:41:34 -0500

 ++ 11/05/03 21:05 +0200 - Jedi/Sector One:
 | On Sun, May 11, 2003 at 11:14:40AM -0500, Pete Fritchman wrote:
 | > What does the maintainer think of this PR?
 | > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/40756
 | 
 |   By defaut, the banner shows the number of connected users, the max
 | allowed number of users, the local time, the load, and the max idle
 | time before being disconnected.
 
 I think the originator was referring to the initial connect (the 220
 banner).
 
 --pete

From: Jedi/Sector One <j@pureftpd.org>
To: Pete Fritchman <petef@absolutbsd.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: ports/40756: insecure default options
Date: Mon, 12 May 2003 08:47:43 +0159

 On Sun, May 11, 2003 at 08:41:34PM -0500, Pete Fritchman wrote:
 > I think the originator was referring to the initial connect (the 220
 > banner).
 
   Yup, this is also what I was talking about :)
 
 -- 
  __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
  \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
   \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/
State-Changed-From-To: open->closed 
State-Changed-By: edwin 
State-Changed-When: Mon Sep 8 05:34:47 PDT 2003 
State-Changed-Why:  
Maintainer has spoken. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40756 
>Unformatted: