> > Pleeeeeeease, I had explicitly restricted my statements to the audited > > version of wu-ftpd. I quote from the SuSE security advisory June 2000: > > The point is that not everyone uses SuSE, let alone their audited > version.
True, and then other vendors should have copied the fixes. The issue is that whoever said (seomthing like) "wu-ftpd is useless because of too many security issues" is not entirely correct. It is misinformation wrt to the audited version. And yes, people use that too. > So saying that wu-ftpd has had no major problems since SuSE > audited the code is irrelevent to users of other distros such as RedHat, > Debian etc. True. As irrelevant as saying wu-ftpd is too unsafe for use, to those who use the safe(r) version. There is more than one side to wu-ftpd - that's what I'm trying to say. The issue as to which ftpd to use is debated as editors. Plenty of opinions. Volker > (I note that SuSE in their advisory recommended using the audited 2.4 > version but still provided fixes for 2.6. Does this mean they also > shipped the vulnerable version? Probably. > Why? My guess is for those who prefer features over security? Customer demand? Choice? Who knows? Does it matter? > What was the default ftpd > installed at that time? Too many versions since, sorry can't answer. I remember that in several versions of the distro wu-ftpd was not the default ftpd. The current ships with at least 3, all disabled by default, even if installed.
