Apple has released a revision to its 2004-09-07 Security Update,
numbered 1.1, which reportedly fixes a widespread, previously reported
FTP connectivity issue.
The problem, which disabled FTP capabilities for a number of users on
both Mac OS X 10.2.8 and Mac OS X 10.3.5 systems, generated the the
error message: "User (username) may not use FTP" in most instances.
A previously reported workaround involved replacing the patched
version of Mac OS X's FTP daemon (ftpd) with the FTP daemon from
another Mac OS X installation sans-security update.
Security Update 2004-09-07's changes to Mac OS X's FTP components are
listed by Apple as follows: "(Eliminates) a rare condition that can
permit an authenticated remote attacker to cause a denial of service or
execute arbitrary code. [...] If the FTP service has been enabled, and
a remote attacker can correctly authenticate, then a race condition
would permit them to stop the FTP service or execute arbitrary code.
The fix is to replace the lukemftpd FTP service with tnftpd. lukemftp
is installed but not activated in Mac OS X Server, which instead uses
xftp [...]."
The revised version of Security Update 2004-09-07 is available either
through Software Update.
rmkay
- Security Update 2004-09-07 Revision 1.1 Richard Kay
-
