Module Name: othersrc
Committed By: lukem
Date: Sun Sep 24 01:23:17 UTC 2023
Modified Files:
othersrc/libexec/tnftpd: ChangeLog NEWS
Log Message:
update ChangeLog for yesterday's improvements
To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.65 othersrc/libexec/tnftpd/ChangeLog
cvs rdiff -u -r1.15 -r1.16 othersrc/libexec/tnftpd/NEWS
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: othersrc/libexec/tnftpd/ChangeLog
diff -u othersrc/libexec/tnftpd/ChangeLog:1.64 othersrc/libexec/tnftpd/ChangeLog:1.65
--- othersrc/libexec/tnftpd/ChangeLog:1.64 Sat Jul 4 06:49:19 2020
+++ othersrc/libexec/tnftpd/ChangeLog Sun Sep 24 01:23:17 2023
@@ -1,6 +1,40 @@
-$NetBSD: ChangeLog,v 1.64 2020/07/04 06:49:19 lukem Exp $
+$NetBSD: ChangeLog,v 1.65 2023/09/24 01:23:17 lukem Exp $
-Sat Jul 4 06:40:38 UTC 2020 lukem
+Sat Sep 23 05:39:49 UTC 2023 [email protected]
+
+ * Security fixes:
+ * CVE-2020-7468: Improve error handling when switching UID/GID.
+ * Prevent MLSD and MLST before authentication succeeds.
+
+ * Update to NetBSD-ftpd 20230922:
+ * Treat failed chdir/chroot for guest and chroot accounts as
+ fatal. Also treat failed set{e,}(u,g}id calls as fatal.
+ Addresses CVE-2020-7468, via FreeBSD.
+ * Improve seteuid error handling, per suggestion by Simon
+ Josefsson.
+ * Add missing check_login checks for MLST and MLSD.
+
+ * Sync libnetbsd replacements with NetBSD upstream:
+ * Replace fgetln() with tools/compat implementation that
+ handles embedded NULs.
+ * Fix inet_net_pton() to avoid integer overflow in bits.
+ * Fix inet_ntop() to set errno when returning NULL.
+ * Fix inet_pton() to improve hex formatting.
+ * Fix sl_add() to not update size unless realloc() succeeds.
+
+ * Improve portability on NetBSD by providing own setprogname()
+ and getprogname(), instead of defining global __progname.
+
+ * Update example ftpusers to use example DNS and IP addresses.
+
+ * Build fixes:
+ * Improve configure's display of detected features.
+ * Enable more POSIX extensions.
+ * Only replace glob() if required GLOB_ flags aren't available.
+ * Only replace fts_open() if required FTS_ flags aren't
+ available.
+
+Sat Jul 4 06:40:38 UTC 2020 [email protected]
* Release as "tnftpd 20200704".
@@ -11,11 +45,11 @@ Sat Jul 4 06:40:38 UTC 2020 lukem
* Increase some buffer sizes.
* Rename blacklist to blocklist.
-Sun Jun 2 05:56:12 UTC 2019 lukem
+Sun Jun 2 05:56:12 UTC 2019 [email protected]
* Release as "tnftpd 20190602".
-Tue Jan 29 23:12:52 UTC 2019 lukem
+Tue Jan 29 23:12:52 UTC 2019 [email protected]
* Limit fnmatch(), fts(), strsuftollx() recursion to avoid
DoS attacks. From Maksymilian Arciemowicz.
@@ -56,13 +90,13 @@ Tue Jan 29 23:12:52 UTC 2019 lukem
* Remove endorsement clause from some of my licenses.
-Mon Mar 25 03:51:20 UTC 2013 lukem
+Mon Mar 25 03:51:20 UTC 2013 [email protected]
* Release as "tnftpd 20130325"
* Fix incorrect use of test(1) in configure.
-Fri Mar 22 09:00:00 UTC 2013 lukem
+Fri Mar 22 09:00:00 UTC 2013 [email protected]
* Release as "tnftpd 20130322"
@@ -81,7 +115,7 @@ Fri Mar 22 09:00:00 UTC 2013 lukem
* Reduce priority of syslog message if getpeername returns
ENOTCONN. PR/18934 from Greg A Woods.
-Wed Mar 24 12:34:09 UTC 2010 lukem
+Wed Mar 24 12:34:09 UTC 2010 [email protected]
* Release as "tnftpd 20100324"
@@ -89,7 +123,7 @@ Wed Mar 24 12:34:09 UTC 2010 lukem
* Security fix; apply NetBSD popen.c 1.37:
PR/43023: Bruce Cran: FTPD bug remote crash
-Mon Jan 4 05:51:15 UTC 2010 lukem
+Mon Jan 4 05:51:15 UTC 2010 [email protected]
* Regenerate .manin manual page sources from upstream sources.
@@ -98,12 +132,12 @@ Mon Jan 4 05:51:15 UTC 2010 lukem
* Distribute various files not shipped by default automake rules,
to use 'make dist' instead of 'cvs export'.
-Wed Dec 30 01:48:57 UTC 2009 lukem
+Wed Dec 30 01:48:57 UTC 2009 [email protected]
* Release as "tnftpd 20091122"
-Sat Nov 7 11:13:38 UTC 2009 lukem
-
+Sat Nov 7 11:13:38 UTC 2009 [email protected]
+
* Convert to automake & libtool.
* Rename config.h to tnftpd_config.h.
@@ -121,7 +155,7 @@ Sat Nov 7 11:13:38 UTC 2009 lukem
* Log both the hostname and numeric address.
* Improve man page mdoc formatting
-Sun Mar 1 03:10:40 UTC 2009 lukem
+Sun Mar 1 03:10:40 UTC 2009 [email protected]
* fts_open.c:
- Ensure fts_close() doesn't spuriously close fd 0,
@@ -131,22 +165,22 @@ Sun Mar 1 03:10:40 UTC 2009 lukem
damage.
Received from OpenBSD via US-CERT as VU #590371.
-Tue Dec 30 22:36:05 UTC 2008 lukem
+Tue Dec 30 22:36:05 UTC 2008 [email protected]
* Fix the SIA implementation, per feedback from Onno van der Linden.
-Sat Dec 20 07:41:22 UTC 2008 lukem
+Sat Dec 20 07:41:22 UTC 2008 [email protected]
* Install into ${exec_prefix}/libexec instead of ${exec_prefix}/sbin
-Fri Dec 19 05:08:56 UTC 2008 lukem
+Fri Dec 19 05:08:56 UTC 2008 [email protected]
* Add support for Tru64 Security Integration Architecture (SIA)
authentication.
Patch from Onno van der Linden, with autoconf tests written by me.
Refer to configure's --with-sia option.
-Tue Oct 28 08:15:35 UTC 2008 lukem
+Tue Oct 28 08:15:35 UTC 2008 [email protected]
* Perform the shadow password expiry checks using days rather than
seconds, otherwise an sp_max of 99999 (default on Debian) would
@@ -155,7 +189,7 @@ Tue Oct 28 08:15:35 UTC 2008 lukem
locked out.
Problem noted by Takashi SHIRAI.
-Thu Oct 9 02:06:46 UTC 2008 lukem
+Thu Oct 9 02:06:46 UTC 2008 [email protected]
* Tagged as "tnftpd-20081009".
@@ -174,13 +208,13 @@ Thu Oct 9 02:06:46 UTC 2008 lukem
* Don't assume that HAVE_STRUCT_PASSWD_PW_CHANGE means you have
_PASSWORD_CHGNOW.
-Mon Sep 29 00:56:00 UTC 2008 lukem
+Mon Sep 29 00:56:00 UTC 2008 [email protected]
* Tagged as "tnftpd-20080929".
* Updated version to "tnftpd 20080929".
-Sat Sep 27 16:05:08 UTC 2008 lukem
+Sat Sep 27 16:05:08 UTC 2008 [email protected]
* Tweak make's subdir traversal.
@@ -194,7 +228,7 @@ Sat Sep 27 16:05:08 UTC 2008 lukem
* Consistency tweaks in AC_MSG_CHECKING.
-Sun Sep 21 16:34:30 UTC 2008 lukem
+Sun Sep 21 16:34:30 UTC 2008 [email protected]
* Change RCSID from Id to NetBSD.
@@ -216,27 +250,27 @@ Sun Sep 21 16:34:30 UTC 2008 lukem
Both features from Rudolf Cejka.
(FreeBSD's tnftpd port maintainer).
-Sat Sep 20 01:47:15 UTC 2008 lukem
+Sat Sep 20 01:47:15 UTC 2008 [email protected]
* Add fts_free() to complement fts_alloc(), and use instead of free().
Should avoid a memory leak on systems without ALIGNBYTES.
-Wed Sep 17 03:43:14 UTC 2008 lukem
+Wed Sep 17 03:43:14 UTC 2008 [email protected]
* Check for DIR.dd_fd, DIR.__dd_fd, and dirfd(),
and provide a replacement dirfd() if possible.
-Fri Aug 15 04:24:01 UTC 2008 lukem
+Fri Aug 15 04:24:01 UTC 2008 [email protected]
* Improve "Configuration results" display.
Fix handling of with_skey=auto.
-Thu Jun 12 09:00:22 UTC 2008 lukem
+Thu Jun 12 09:00:22 UTC 2008 [email protected]
* Search for and #include <sys/resource.h> after <sys/time.h>;
fixes build on OS X 10.3.x.
-Mon Jun 9 03:08:29 UTC 2008 lukem
+Mon Jun 9 03:08:29 UTC 2008 [email protected]
* Tagged as "tnftpd-20080609".
@@ -250,7 +284,7 @@ Mon Jun 9 03:08:29 UTC 2008 lukem
password prompts.
* Improve some debug logging related to PAM.
-Sun Jun 1 06:04:00 UTC 2008 lukem
+Sun Jun 1 06:04:00 UTC 2008 [email protected]
* Disable --with-skey by default.
@@ -284,7 +318,7 @@ Sun Jun 1 06:04:00 UTC 2008 lukem
* Add check for madvise().
-Sun Mar 9 21:05:10 UTC 2008 lukem
+Sun Mar 9 21:05:10 UTC 2008 [email protected]
* Sync fts source with NetBSD:
- Sync to src/include/fts.h 1.17
@@ -303,14 +337,14 @@ Sun Mar 9 21:05:10 UTC 2008 lukem
* Support @EXEEXT@. Use .PHONY.
-Tue Jul 24 00:06:52 UTC 2007 lukem
+Tue Jul 24 00:06:52 UTC 2007 [email protected]
* Set YACC to @YACC@ so that AC_PROG_YACC DTRT on systems
that only have bison.
* Avoid an 'unused variable' warning.
-Mon Jul 23 11:42:21 UTC 2007 lukem
+Mon Jul 23 11:42:21 UTC 2007 [email protected]
* Don't use non-standard: u_char u_short u_int.
Use uint32_t instead of u_int32_t.
@@ -341,7 +375,7 @@ Mon Jul 23 11:42:21 UTC 2007 lukem
* Explicitly exit(1) at the end of main(), to suppress a compile
warning on certain systems.
-Sun Jul 22 11:27:29 UTC 2007 lukem
+Sun Jul 22 11:27:29 UTC 2007 [email protected]
* Sync to config.guess 2007-07-22, config.sub 2007-06-28.
@@ -361,14 +395,14 @@ Sun Jul 22 11:27:29 UTC 2007 lukem
- always use our arpa_ftp.h rather than trying to detect if
FTP_NAMES works.
-Mon Mar 19 01:00:19 UTC 2007 lukem
+Mon Mar 19 01:00:19 UTC 2007 [email protected]
* Change the return value of the replacement gai_strerror()
from "char *" to "const char *", to match the current
standards.
Problem noted by Thomas Klausner.
-Mon Dec 18 04:08:33 UTC 2006 lukem
+Mon Dec 18 04:08:33 UTC 2006 [email protected]
* Tagged as "tnftpd-20061217".
@@ -376,7 +410,7 @@ Mon Dec 18 04:08:33 UTC 2006 lukem
* Provide a replacement daemon(3) for systems that lack it.
-Mon Dec 4 02:09:16 UTC 2006 lukem
+Mon Dec 4 02:09:16 UTC 2006 [email protected]
* Tagged as "tnftpd-20061204".
@@ -384,7 +418,7 @@ Mon Dec 4 02:09:16 UTC 2006 lukem
* Added NEWS file back.
-Wed Sep 27 05:22:18 UTC 2006 lukem
+Wed Sep 27 05:22:18 UTC 2006 [email protected]
* Implement ftpd_poll() using poll(), or select() if poll() isn't
available. Reenable -D, using ftpd_poll().
@@ -493,7 +527,7 @@ Mon Jul 25 15:31:21 UTC 2005 ginsbach
* Update ftpd.c to NetBSD-ftpd 20041209
+ Fix inverted test for aged passwords.
-Wed Dec 1 09:17:50 UTC 2004 lukem
+Wed Dec 1 09:17:50 UTC 2004 [email protected]
* Add autoconf test for struct passwd.pw_change
@@ -506,13 +540,13 @@ Wed Dec 1 09:17:50 UTC 2004 lukem
will not be allowed FTP access. Inspired by similar
functionality in other FTP daemons.
-Tue Aug 10 00:59:10 UTC 2004 lukem
+Tue Aug 10 00:59:10 UTC 2004 [email protected]
* Tagged as "tnftpd-20040810".
* Updated version to "tnftpd 20040810"
-Tue Aug 10 00:48:58 UTC 2004 lukem
+Tue Aug 10 00:48:58 UTC 2004 [email protected]
* BSD/OS 3.0 portability fixes from Jeremy C. Reed:
* Use _POSIX_LOGIN_NAME_MAX if sysconf(_SC_LOGIN_NAME_MAX)
@@ -557,11 +591,11 @@ Fri Dec 19 22:57:50 UTC 2003 grant
* Honour --sysconfdir.
-Thu Dec 18 00:49:31 UTC 2003 lukem
+Thu Dec 18 00:49:31 UTC 2003 [email protected]
* Tagged & released as "tnftpd-20031217"
-Wed Dec 17 01:44:40 UTC 2003 lukem
+Wed Dec 17 01:44:40 UTC 2003 [email protected]
* Updated version to "tnftpd 20031217".
@@ -572,7 +606,7 @@ Wed Dec 17 01:44:40 UTC 2003 lukem
* Fix cut & paste botch in fallback #define for LLONG_MIN.
(noted by Onno).
-Tue Dec 16 02:13:49 UTC 2003 lukem
+Tue Dec 16 02:13:49 UTC 2003 [email protected]
* Document how to enable large file support on Solaris.
@@ -581,7 +615,7 @@ Tue Dec 16 02:13:49 UTC 2003 lukem
* Rename HAVE_QUAD_SUPPORT to HAVE_WORKING_LONG_LONG.
-Tue Dec 16 00:42:58 UTC 2003 lukem
+Tue Dec 16 00:42:58 UTC 2003 [email protected]
* Updated version to "tnftpd 20031216".
@@ -594,7 +628,7 @@ Tue Dec 16 00:42:58 UTC 2003 lukem
* Convert the 4 clause UCB licensed code to the 3 clause license.
-Wed Dec 10 02:30:19 UTC 2003 lukem
+Wed Dec 10 02:30:19 UTC 2003 [email protected]
* tagged as "tnftpd 20031210"
@@ -623,19 +657,19 @@ Wed Dec 10 02:30:19 UTC 2003 lukem
in PR 22410 by Joel Baker, confirmed to the board by Jason
Downs. With additional thanks to Jason Thorpe.
-Wed Dec 10 01:33:35 UTC 2003 lukem
+Wed Dec 10 01:33:35 UTC 2003 [email protected]
* replace netbsd.org with NetBSD.org as appropriate.
* replace libnetbsd/fgetln.c with the better version
that Christos wrote (as found in tnftp).
-Thu Jul 31 09:10:49 UTC 2003 lukem
+Thu Jul 31 09:10:49 UTC 2003 [email protected]
* work-around missing LLONG_MAX and LLONG_MIN on Darwin.
Patch from Yuji Yamano.
-Mon Mar 3 03:42:42 UTC 2003 lukem
+Mon Mar 3 03:42:42 UTC 2003 [email protected]
* manually apply revs 1.75-1.76 from netbsd repo:
- fix typos accidentally introduced in rev 1.70
@@ -644,18 +678,18 @@ Mon Mar 3 03:42:42 UTC 2003 lukem
* replace missing sete[gi]uid() with setres[ug]id() if the
latter exists. (for HP-UX)
-Fri Feb 28 04:02:48 UTC 2003 lukem
+Fri Feb 28 04:02:48 UTC 2003 [email protected]
* replace references to `ftpd' in manual pages with `tnftpd',
update the dates, and regenerate the catdoc pages.
-Thu Feb 27 03:15:51 UTC 2003 lukem
+Thu Feb 27 03:15:51 UTC 2003 [email protected]
* tagged as "tnftpd 2.0 beta3"
* only use MAP_FILE if its available
-Wed Feb 26 14:51:51 UTC 2003 lukem
+Wed Feb 26 14:51:51 UTC 2003 [email protected]
* fixes from Tetsuya Isaki:
- provide adhoc definition of LOGIN_NAME_MAX for slackware 8.1
@@ -671,7 +705,7 @@ Wed Feb 26 14:51:51 UTC 2003 lukem
- remove dummy "" arg from .Nm in man pages
-Mon Feb 24 06:32:44 UTC 2003 lukem
+Mon Feb 24 06:32:44 UTC 2003 [email protected]
* update to NetBSD-current 2003-02-23
- maintain a cwd cache
@@ -685,7 +719,7 @@ Mon Feb 24 06:32:44 UTC 2003 lukem
bound to for an extended period of time, locking out
all other PORT connections.
-Sun Dec 8 13:09:20 UTC 2002 lukem
+Sun Dec 8 13:09:20 UTC 2002 [email protected]
* tagged as "tnftpd 2.0 beta2"
@@ -695,41 +729,41 @@ Sun Dec 8 13:09:20 UTC 2002 lukem
* update to NetBSD-current 2002-10-08
-Sat Oct 26 12:25:03 UTC 2002 lukem
+Sat Oct 26 12:25:03 UTC 2002 [email protected]
* tagged as "tnftpd 2.0 beta1"
-Sat Oct 26 03:24:45 UTC 2002 lukem
+Sat Oct 26 03:24:45 UTC 2002 [email protected]
* renamed release to `tnftpd'
* renamed `libukem' to `libnetbsd'
-Wed Jun 5 12:57:46 UTC 2002 lukem
+Wed Jun 5 12:57:46 UTC 2002 [email protected]
* don't bother checking if <glob.h> is usable since we're
always compiling in our own glob.c
-Thu May 23 02:43:41 UTC 2002 lukem
+Thu May 23 02:43:41 UTC 2002 [email protected]
* released 1.2 beta 2
* replace fnmatch(3) if FNM_CASEFOLD isn't available
-Sat Mar 16 01:28:28 UTC 2002 lukem
+Sat Mar 16 01:28:28 UTC 2002 [email protected]
* libukem/glob.c: Fix two problems in the KNR->ANSI conversion
noticed by Yuji Yamano.
-Thu Mar 14 06:02:31 UTC 2002 lukem
+Thu Mar 14 06:02:31 UTC 2002 [email protected]
* released 1.2 beta 1
-Thu Mar 14 05:39:24 UTC 2002 lukem
+Thu Mar 14 05:39:24 UTC 2002 [email protected]
* libukem/snprintf.c: fix compile errors with gcc 3.x
-Sat Mar 1 07:10:54 UTC 2002 lukem
+Sat Mar 1 07:10:54 UTC 2002 [email protected]
* update to NetBSD-current 2002-03-01
User visible changes include:
@@ -747,21 +781,21 @@ Sat Mar 1 07:10:54 UTC 2002 lukem
- fix skey password challenge
- don't try and use the motd directive if it's not set
-Thu Feb 28 01:39:06 UTC 2002 lukem
+Thu Feb 28 01:39:06 UTC 2002 [email protected]
* update libukem/glob.c from NetBSD's __glob13.c rev 1.22 and rev 1.23
-Wed May 9 02:04:08 UTC 2001 lukem
+Wed May 9 02:04:08 UTC 2001 [email protected]
* released 1.1
-Sat Apr 28 07:13:57 UTC 2001 lukem
+Sat Apr 28 07:13:57 UTC 2001 [email protected]
* released 1.1 beta 1
* determine if crypt() and getusershell() need declarations
-Wed Apr 25 06:27:08 UTC 2001 lukem
+Wed Apr 25 06:27:08 UTC 2001 [email protected]
* update to NetBSD-current 2001-04-25:
- update copyrights
@@ -776,7 +810,7 @@ Wed Apr 25 06:27:08 UTC 2001 lukem
and adding a flag to struct tab, to indicate if or not
it's acceptable for a command to occur OOB.
-Tue Apr 17 08:20:09 UTC 2001 lukem
+Tue Apr 17 08:20:09 UTC 2001 [email protected]
* look for <arpa/nameser.h>
@@ -788,7 +822,7 @@ Tue Apr 17 08:20:09 UTC 2001 lukem
* remove unused sverrno in warnx() and errx()
-Fri Apr 13 16:02:40 UTC 2001 lukem
+Fri Apr 13 16:02:40 UTC 2001 [email protected]
* improve test for long long support so that it's only enabled
if printf supports %ll or %q and they do the right thing.
@@ -802,11 +836,11 @@ Fri Apr 13 16:02:40 UTC 2001 lukem
make checkportcmd address family independent, and correct
IPv4 case. PR 12558.
-Sun Apr 8 03:35:55 UTC 2001 lukem
+Sun Apr 8 03:35:55 UTC 2001 [email protected]
* release 1.0
-Thu Apr 5 14:08:25 UTC 2001 lukem
+Thu Apr 5 14:08:25 UTC 2001 [email protected]
* search for lockf and flock, and use the first found (in that
order) to lock the pid files
@@ -815,7 +849,7 @@ Thu Apr 5 14:08:25 UTC 2001 lukem
- Fix sentinel for the buffer in globtilde. It was off
by x 2. Noted by Theo.
-Thu Mar 29 16:57:17 EST 2001 lukem
+Thu Mar 29 16:57:17 EST 2001 [email protected]
* release 1.0 beta 4
@@ -834,12 +868,12 @@ Thu Mar 29 16:57:17 EST 2001 lukem
* support --enable-builtinls (default) and --disable-builtinls
-Sun Mar 18 10:14:17 UTC 2001 lukem
+Sun Mar 18 10:14:17 UTC 2001 [email protected]
* detect if d_namlen exists in struct dirent, and use in
fts_open() appropriately
-Sun Mar 18 08:30:01 UTC 2001 lukem
+Sun Mar 18 08:30:01 UTC 2001 [email protected]
* released 1.0 beta3
@@ -858,7 +892,7 @@ Sun Mar 18 08:30:01 UTC 2001 lukem
- hardcode blocksize to 1K
- remove support for nsec comparison in time sorting
-Sat Mar 17 12:02:51 UTC 2001 lukem
+Sat Mar 17 12:02:51 UTC 2001 [email protected]
* generate cat manpages
@@ -887,7 +921,7 @@ Sat Mar 17 12:02:51 UTC 2001 lukem
define to something sane if not found; certain platforms have a
lobotomised <paths.h>
-Fri Mar 16 08:27:09 EST 2001 lukem
+Fri Mar 16 08:27:09 EST 2001 [email protected]
* in getusershell.c, remove __P() and const cruft
@@ -895,7 +929,7 @@ Fri Mar 16 08:27:09 EST 2001 lukem
* define _PATH_SHELLS if there's no <path.h>
-Wed Mar 14 18:49:57 EST 2001 lukem
+Wed Mar 14 18:49:57 EST 2001 [email protected]
* released 1.0 beta2
@@ -903,7 +937,7 @@ Wed Mar 14 18:49:57 EST 2001 lukem
* replace missing vsyslog
-Sat Mar 10 09:15:46 EST 2001 lukem
+Sat Mar 10 09:15:46 EST 2001 [email protected]
* replace missing getusershell
@@ -913,7 +947,7 @@ Sat Mar 10 09:15:46 EST 2001 lukem
* prototype getusershell et al if missing
-Fri Mar 9 06:27:08 EST 2001 lukem
+Fri Mar 9 06:27:08 EST 2001 [email protected]
* released 1.0 beta1
@@ -924,6 +958,6 @@ Fri Mar 9 06:27:08 EST 2001 lukem
* add strtoll()
-Thu Feb 1 12:24:00 EST 2001 lukem
+Thu Feb 1 12:24:00 EST 2001 [email protected]
* released 1.0 alpha
Index: othersrc/libexec/tnftpd/NEWS
diff -u othersrc/libexec/tnftpd/NEWS:1.15 othersrc/libexec/tnftpd/NEWS:1.16
--- othersrc/libexec/tnftpd/NEWS:1.15 Sat Jul 4 06:49:19 2020
+++ othersrc/libexec/tnftpd/NEWS Sun Sep 24 01:23:17 2023
@@ -1,7 +1,12 @@
-$NetBSD: NEWS,v 1.15 2020/07/04 06:49:19 lukem Exp $
+$NetBSD: NEWS,v 1.16 2023/09/24 01:23:17 lukem Exp $
This is tnftpd version 20200704.
+Changes in tnftpd from 20200704 to unreleased:
+
+ Security fixes to improve error handling when switching UID/GID,
+ and to prevent MLSD and MLST before authentication succeeds.
+
Changes in tnftpd from 20190602 to 20200704:
Adapt to NetBSD blocklistd(8) service rename.
