1This file contains all major changes made during the development of bftpd. 2The uppermost change is the newest one. 3 4Jesse Smith <jessefrgsmith@yahoo.ca> -> 6.1 5 - Fixed linking errors on latest complilers GCC/Clang by 6 addressing variable scope. 7 - Make sure we do not rely on argv or argv[0] being valid. 8 Bftpd now exits with an error if arguements are not passed as expected. 9 10Jesse Smith <jessefrgsmith@yahoo.ca> -> 6.0 11 - Make extended passive mode respect the PASSIVE_PORTS variable 12 in the bftpd configuration file. Previously random ports 13 would be assigned. 14 - Minor code clean-up in mystrings library to avoid calculating 15 string length multiple times. 16 17Jesse Smith <jessefrgsmith@yahoo.ca> -> 5.9 18 - Fixed output of directory listing so that file size is right-justified 19 which makes output look cleaner. 20 Fix suggested by uomo ukko. 21 - Addressed some compiler warnings. Make sure we bail out 22 of situations even if they should never realisticaly return 23 an error. 24 25Jesse Smith <jessefrgsmith@yahoo.ca> -> 5.8 26 - Many spelling errors in source code and documentation found and 27 fixed by Jens of Fossies (fossies.org). Applied spelling corrections. 28 - Removed mark-up and special characters from COPYING, README, and INSTALL 29 files. 30 - Fixed file size reporting on 32-bit ARM architecture when files are 31 large (greater than 2GB). 32 Problem and fix reported by uomo ukko. 33 34Jesse Smith <jessefrgsmith@yahoo.ca> -> 5.7 35 - A malicious client could cause a buffer overflow with 36 a lot of EPSV commands sent in a row. We now close 37 the pasv socket before each new use to avoid accumulating 38 more than 1023. 39 Thanks to Shisong Qin for reporting this issue and suggesting 40 a fix. 41 42Jesse Smith <jessefrgsmith@yahoo.ca> -> 5.6 43 - Fixed file transfer ratios so that an empty 44 ratio, such as one set by running Bftpd without 45 a configuration file, results in there being no 46 ratio. 47 - Fixed potential string overflow issue in 48 mystring.c code. Avoids situations where an 49 unusually large string might be able to overwrite 50 a buffer. 51 52 53Jesse Smith <jessefrgsmith@yahoo.ca> -> 5.5 54 - Fixed a file descriptor leak would could cause the Bftpd 55 server to run out of available files it can open when storing/uploading 56 files. 57 Eric Debief provided a patch to correct the issue. 58 59Jesse Smith <jessefrgsmith@yahoo.ca> -> 5.4 60 - Fixed potential one-by-one heap issue when 61 reading during transferring files. 62 Issue reported by Antonio Morales. 63 64 65Jesse Smith <jessefrgsmith@yahoo.ca> -> 5.3 66 - Made the situation where FILE_AUTH more clear, advised 67 against it. Added warning about making sure password 68 file is not readable by another other than the admin. 69 - Updated Makefile.in to use more fine-grained dependency 70 checks. Should speed up compiling when just one 71 source file has been altered. 72 New Makefile.in provided by Vemake. 73 - Fixed out of bounds memory read when fetching options. 74 Issue reported by and solution provided by Antonio Morales. 75 76 77Jesse Smith <jessefrgsmith@yahoo.ca> -> 5.2 78 - Make sure we do not send extra newline when DENY message 79 is sent to the client. 80 - Fixed some build dependencies in the Makefile so fresh 81 build is triggered by updating config.h. 82 Change provided by Vemake. 83 84Jesse Smith <jessefrgsmith@yahoo.ca> -> 5.1 85 - Fixed duplicate error message when user tries to 86 sign in with invalid username. 87 - Make sure user can change username before 88 successfully authenticating. 89 - Fix error message when "type" command is not 90 given a parameter. 91 - Make sure we do not return multiple error 92 codes when an account is disabled. 93 - Do not drop connection to client when 94 selected account is disabled. 95 - Make sure when accounts are disabled/denied, they print the 96 proper reason (set in the config file) back to the client. 97 98Jesse Smith <jessefrgsmith@yahoo.ca> -> 5.0 99 - Added more checks to places where we are mapping a file 100 or checking for symbolic links. Should avoid trying to 101 operating on invalid path names or broken symlinks. 102 Issue reported by Xu. 103 104Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.9 105 - Several checks added to chdir() and other 106 return codes to make sure syscalls are all returning 107 properly. Patch provided by Zhouyang Jia. 108 - Fixed some compiler warnings due to unused or 109 oddly indented code. 110 111Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.8 112 - Fixed potential double-free bug during Bftpd shutdown. 113 - Fixed potential unititalized variable. 114 Thanks to Alex for reporting these bugs. 115 116Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.7 117 - Fixed memory leak in rename function. 118 Thanks to Alex for reporting this bug. 119 120Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.6 121 - Avoid memory corruption when reading config file by initializing memory. 122 - Make sure CHROOT is default option, even if it is not specified 123 in the config file. 124 Thanks for Anton Yuzhaninov for providing the above two fixes. 125 126Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.5 127 - Avoid potential buffer underflow in main.c 128 Thanks to Andreas for pointing out this problem. 129 130Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.4 131 - Fixed potential buffer overflow when 132 expanding symbolic link file names. 133 134Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.3 135 - Clarified license (COPYING file) 136 - Fixed compiler warning with regards to 137 pointer-to-integer cast. 138 139Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.2 140 - Improved user checking code to avoid locking out 141 valid users from the system. 142 (Thanks to Lauri Kasanen for reporting this bug 143 and supplying a patch.) 144 145Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.1 146 - Added checks to crypt() calls to prevent 147 operating on NULL pointer. 148 (Thanks to Lauri Kasanen for reporting this bug.) 149 150Jesse Smith <jessefrgsmith@yahoo.ca> -> 4.0 151 - Added patch from Thomas Cort to make Bftpd 152 compile on NetBSD. 153 154Jesse Smith <jessefrgsmith@yahoo.ca> -> 3.9 155 - Adjusted Makefile to allow for easy access to 156 non-default compiler options. Alternative compiler 157 can be used by running "make CC=compilername". 158 - Zhenbo Xu reported several potential memory 159 bugs which could cause Bftpd if the operating 160 system is out of memory. Also reported a memory 161 leak. Checks are now in place to prevent crashes 162 and the memory leak has been plugged. 163 - Added MINIX-specific configuration file which 164 should allow Bftpd to run smoothly and without 165 additional configuration on MINIX. 166 - Merged MINIX porting code into mainline Bftpd 167 so we can work with one, unified code base. 168 169Jesse Smith <jessefrgsmith@yahoo.ca> -> 3.8 170 - Fixed bug in user tracking which could result 171 in corrupted times on 64-bit systems. 172 - When Bftpd is compiled with a "prefix" (which 173 is the default behaviour) the Bftpd will 174 check both /etc/bftpd.conf AND PREFIX/etc/bftpd.conf 175 when trying to find its configuration file. 176 This should avoid requiring the admin to pass 177 the location of the config file on the command line. 178 179 180Jesse Smith <jessefrgsmith@yahoo.ca> -> 3.7 181 - Removed CVS directory from doc folder. 182 - Options in the config file may now have 183 following #comments. 184 Reading the config file should happen a 185 little faster too. 186 Thanks to Zhang for reporting this issue. 187 - Fixed typo in re-reading config file. 188 Thanks to Zhang for reporting this issue. 189 - When installing Bftpd the make file now 190 respects the configure --prefix=/path/to/install 191 flag. 192 Thanks to Martin for reporting this bug. 193 - Config file parser now handled multiple 194 unexpected spaces. 195 Thanks to Chang for reporting this issue. 196 197 198Jesse Smith <jessefrgsmith@yahoo.ca> -> 3.6 199 - Expanded home directory maximum length to 64 characters. 200 - Directory listing no longer hangs if the directory 201 contains a named pipe. 202 203 204Jesse Smith <jessefrgsmith@yahoo.ca> -> 3.5 205 - Added explicit setting of sin_family to AF_INET to 206 avoid ambiguity and possible bind errors. 207 (Patch provided by Tony.) 208 209Jesse Smith <jessefrgsmith@yahoo.ca> -> 3.4 210 - Added configuration file option TIMEZONE_FIX. By 211 default Bftpd tries to guess the time zone, working 212 around the C library. When running on a system where 213 the C library can correctly guess the time zone in 214 a chroot environment, set TIMEZONE_FIX="no" in the 215 bftpd.conf file. 216 - Added -v command line option which will cause 217 Bftpd to display the current version and exit. 218 219 220Jesse Smith <jessefrgsmith@yahoo.ca> -> 3.3 221 - Time stamps in the log file were not correct 222 after chrooting. Added time zone code to make 223 sure we can calculate the correct time without 224 access to system time zone info. 225 (Thanks to Paul for reporting this bug.) 226 227 228Jesse Smith <jessefrgsmith@yahoo.ca> -> 3.2 229 - Added new value for SHOW_HIDDEN_FILES option in the 230 config file. The option can now be set to "yes", 231 "no" or "always". This allows admins to determine whether 232 clients can see hidden files if it is requested, never 233 or all the time, respectively. Please see the config file 234 comments for details. 235 - Made sure HIDE_GROUP variable will cause files belonging 236 to a given group to not be shown to the client. 237 238 239Jesse Smith <jessefrgsmith@yahoo.ca> -> 3.1 240 - Make sure default config disables anonymous login 241 by default. 242 243 244Jesse Smith <jessefrgsmith@yahoo.ca> -> 3.0 245 - Updated documentation to fix links. Thanks to Xiang for 246 pointing out the error. 247 - Added Slovak documentation, provided by Dusan. 248 249 250Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.9 251 - Bftpd will attempt to create it's utmp directory 252 if that directory does not exist. Fixes issue on 253 Ubuntu where the directory is wiped out at each 254 reboot. 255 - The ROOTDIR option now works properly for 256 anonymous users. 257 Thanks to Paul for reporting this bug. 258 259 260Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.8 261 - Added patch which will allow client to see hidden 262 files if the "-a" parameter is used in list commands. 263 Hidden files are only shown if SHOW_HIDDEN_FILES 264 is enabled in the config file. 265 Patch provided by Raster. 266 - Swapped out glob function for custom directory 267 search matching. Allows clients to see broken 268 symbolic links if "SHOW_NONREADABLE_FILES" is set 269 to "yes". 270 Patch supplied by Raster. 271 - Added patch to clean up zombies if several children 272 processes all die at the same time. We were cleaning up 273 just one child per signal before. 274 Patch supplied by Raster. 275 - Fixed typo in log error message. 276 - Made sure we can read user config file options 277 even with unusual compile flags. 278 - Fixed anonymous login. 279 - Anonymous login disabled by default in the config file. 280 281 282 283Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.7 284 - Added patch from Raster which returns more speicifc error 285 messages to the client when a file or directory cannot be 286 removed. This should avoid confusing some clients when the 287 user attempts to remove a directory. 288 - Added checks for increased security/stability and to remove 289 compiler warnings. 290 291 292Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.6 293 - Removed some debugging information from the log file. 294 - Made certain that bandwidth log will not over-write itself 295 when multiple users are logged in. 296 - Bandwidth log file is flushed to avoid loss of data. 297 - Bftpd will write to bandwidth log even if client does 298 not disconnect cleanly. 299 300 301Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.5 302 - Added better UTF support. Clients that check for this 303 will now enable UTF-8. For example, Filezilla. 304 - Made sure remote admin login was disabled. This shouldn't 305 have worked anyway, but disabled the feature to make sure. 306 - Added additional log file which tracks user bandwidth. 307 See the option in the config file called BANDWIDTH. 308 - Updated README file to contain notes on logging. 309 310 311Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.4 312 - Fixed a possible security hole which would allow 313 attackers to perform a DoS attack against bftpd. 314 (Thanks to Dazhi for pointing out this problem.) 315 316 317Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.2.1 (aka 2.3) 318 - Bftpd should not attempt to close stdin, stdout and stderr 319 if they do not exist. Fixed this in main.c. 320 (Patch provided by Ivan A-R.) 321 322 323Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.2 324 - Bftpd does not exit when an incorrect password is given. 325 The server does drop connections in cases where logins are 326 specifically denied, full server or if an error appears in 327 the config file. 328 329Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.1.2 330 - Added option to not show files in a dir list 331 if the file is not readable. Thanks to Eric 332 Woltermann for sending in this patch. 333 By default non-readable files are not listed. 334 See the SHOW_NONREADABLE_FILES config option. 335 - Make the replace() function safer with 336 range checking to avoid buffer over-flow. 337 - Fixed calls to replace() function. 338 - Most string buffers now have a set size of 339 MAX_STRING_LENGTH, rather than some arbitrary size. 340 - Applied patch to allow user specific data to 341 be substituted into the user MOTD file path. 342 The symbols %u and %h and be used in place of the 343 user's username and home directory in the MOTD_USER 344 config option. 345 Thanks to Eric Woltermann for submitting this patch. 346 - Bftpd now prompts for a password, even on anonymous 347 accounts to help increase compatibility with some 348 web browsers. 349 350 351Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.1.1 352 - Fixed directory creation so that the proper 353 umask is used. thanks to Thiemo for pointing 354 out this problem. 355 - Fixed buffer under-size error in options.c 356 Thanks to Athan for reporting this bug. 357 358 359Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.1 360 - By default, the SITE command is now disabled 361 in the bftpd.conf file. This is to prevent 362 security holes and DoS attacks via "site md5 <filename>" 363 364Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.0.3 365 - Added md5 support for amd64 machines. 366 - If no arch is defined for md5, assume little endian. 367 368Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.0.2 369 - Transfer buffer size now defaults to staying the 370 same (max) size for all transfers. To get a variable 371 buffer size, change the config option CHANGE_BUFSIZE 372 to "yes". 373 - Added config file option SHOW_HIDDEN_FILES. When this 374 option is set to "yes", bftpd shows hidden files in directory 375 listings. By default this is set to "no". 376 377 378Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.0.1 379 - Avoid possible segfault in replace() function 380 in mystring.c 381 - Avoid memory error in main.c using strdup() 382 - Avoid segfault in options.c the create_options() 383 - Added ability to use the SITE command to provide md5 384 checksums of files. (usage: site md5 filename) 385 386 Very many thanks to Ulrich Drepper and Gray Watson for 387 the md5 library! 388 389 - Changed ratio calculations to use double type to 390 allow for larger files and data transfers. 391 - Added HELP option to the SITE command. 392 (usage: site help) 393 - Added config file variable CHANGE_BUFSIZE. This 394 determines whether the transfer buffer changes size. 395 It defaults to "yes". 396 - Removed extra fileno() calls in file receives. 397 398 399 400Jesse Smith <jessefrgsmith@yahoo.ca> -> 2.0 401 - Avoid memory error in options.c 402 403Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.9.3 404 - Avoid segfaults in options.c and cwd.c 405 - Added memory checks in options.c 406 407Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.9.2 408 - Avoid segfaults in options.c and dirlist.c 409 410Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.9.1 411 - Avoid segfaults in options.c and main.c 412 413Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.9 414 - Added limits.h entry to main.c and options.c 415 for compatibility with FreeBSD. 416 (All problems with bftpd on FreeBSD were found and 417 corrected by Beech of the FreeBSD team.) 418 419Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.8.4 420 - When printing file sizes for files larger than 4GB 421 the file size is now displayed correctly. 422 - When a FTP client drops a connection without sending 423 an ABORT (ABOR) signal, Bftpd will detect the dropped 424 connection and log it. This prevents stale connections 425 preventing new users from connecting. 426 (Bug found and fixed by: Thorsten) 427 - Added limits.h and signal.h to list of headers used 428 in commands.c, for compatibility with BSD. 429 - Changed sighandler_t in "run_script()" to sig_t 430 for compatibility between Linux and BSD. 431 - Added OpenPAM patch from FreeBSD (login.c) 432 - Added limits.h include to login.c file for 433 compatibility with BSD. 434 435 436Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.8.3 437 - If Bftpd is unable to create bftpdutmp file, an error 438 should now be written to the log file. 439 - Directory output corrected for when large files (> 2GB) 440 are listed. 441 - Documentation for xinetd config updated. 442 443Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.8.2 444 - Changed bftpd's directory name to plain "bftpd" 445 rather than "bftpd-version". This will, hopefully, make 446 it easier to run scripts which build/run bftpd. 447 448Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.8.1 449 - Avoid segfault in getoption() (options.c) 450 Credit to Mats Erik Andersson for finding this bug. 451 - Fixed potential memory leaks in commands.c 452 453Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.7.2 454 - Fixed serious bug which would cause bftpd to crash 455 while sending a file. Double-free error. 456 (Credit to Davide Pozza for reporting these bugs below.) 457 - Prevent buffer over-flow in parsecmd() when 458 forming confstr variable. 459 - Check return values of strtoul() to make sure they 460 do not over-flow an int. 461 462Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.7.1 463 (Credit to Davide Pozza for reporting these bugs.) 464 - Avoid memory over-flow in bftpd_login (login.c) 465 with the str[] variable. Made size 512 + 1. 466 - Avoid buffer over-flow in str[] variable in 467 main(). 468 - Prevent buffer over-flow in check_file_password() 469 when performing fscanf(). 470 - In check_file_password() made calloc() allocate 471 larger buffer to prevent over-flow. 472 - Performed range checking on the number of users on 473 the system to make sure they don't over-flow a 32-bit int. 474 - Make sure malloc calls in commands.c do not allocate 475 too much or too little memory. 476 477Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.6.6 478 - Perform memory allocation check in bftpd_cwd_mappath() 479 - Changed a strcmp() to strcasecmp() in command_retr function. 480 - Performed free(mapped) at end of command_retr. 481 - Performed memory checks and clean-up in various functions. 482 483Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.6.5 484 - The when using the FILE_AUTH option, the text 485 password file can contain anonymous users. That is, 486 users who do not require passwords. THIS IS DANGEROUS 487 ON MOST SYSTEMS. A entry with the password field set to 488 a * (star) does not require a password. See the 489 config file option FILE_AUTH for more information. 490 491Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.6.4 492 - Allow ANONYMOUS_USER config file option to be used with 493 the FILE_AUTH option. This basically allows anyone 494 to login to the system without a password if both 495 options are used! 496 - When a chroot fails during login the server will 497 no longer tell the client which directory it was trying 498 to chroot to. 499 - When the config.h file contains a definition for 500 NO_GETPWNAM then the getpwnam() function is not used. 501 Also, this forces the use of the FILE_AUTH option. If 502 NO_GETPWNAM is defined and FILE_AUTH is not used, all 503 connections are dropped. 504 505 506Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.6.3 507 - Introduced option to over-ride the local/LAN 508 IP address assigned to the host computer. This 509 option takes a 4-number IP address in the format 510 of "127.0.3.101". See OVERRIDE_IP in bftpd.conf for 511 more information. 512 - Removed description-pak file from source tree. 513 - The options PRE_WRITE_SCRIPT and POST_WRITE_SCRIPT 514 have been added to the bftpd.conf file. These options 515 let you run scripts before and after any command writes 516 to the file system. Handy if you want to re-mount. 517 Please see the bftpd.conf file for details. 518 519 520Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.6.2 521 - When using FILE_AUTH to login, check 522 DO_CHROOT option before performing 523 a chroot(). 524 525Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.6.1 526 - Removed code which uses sendfile(). 527 The sendfile code appears to cause a 528 conflict on some systems when used 529 with 64-bit file size variables. 530 531Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.6 532 - Released bftpd without code changes, but 533 with updated Polish documentation. 534 535Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.5 536 - Added Polish documentation to website. 537 538Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.4.1 539 - Added ability to use a plain text file 540 for authentication. See config file option 541 FILE_AUTH for details. 542 543Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.4 544 - Fixed default configuration. 545 - Fixed compile warnings for vanilla config. 546 547Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.3.2 548 - Fixed Makefile to erase config.cache file during 549 "make clean" 550 - Added ability to uncompress files on the fly 551 during downloads. Any file with the extension 552 ".gz" can be decompressed during transfer to 553 the client with the use of the GZ_DOWNLOAD 554 in the config file. This option requires bftpd 555 be configured (pre-compile time) with the flag 556 --enable-libz. 557 558 559Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.3.1 560 - Changed ratio values to unsigned long 561 variables to support large files. 562 - Edited Makefile to allow bftpd to handle large 563 files (2GB+). 564 565Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.2.2 566 - Added ability to upload files and 567 compress them into .gz files on the fly. 568 See bftpd.conf file for the option. 569 This option requires --enable-libz be 570 used when running the configure script. 571 572 - Cleaned up code to avoid compiler warnings 573 from gcc 4.0.2. 574 Files changed: main.c commands.c 575 576Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.2.1 577 - When the config file is re-read, global 578 are changed only. 579 Files changes: options.c options.h 580 581 582Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.2 583 - Made re-reable options be able to hold larger 584 values. Up to 256 bytes/characters long. 585 - Replaced old rpm spec file with one from 586 Joe, which will be used from now on for 587 rpm builds. 588 589Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.1.3 590 - When a child/client dies, the 591 parent process will now attempt to 592 remove the client's log entry 593 from the bftpdutmp file. This 594 should prevent stale entries. 595 - Changed some default values to 596 constants in options.h 597 - Fixed typo(s) in bftpd.conf 598 - Set delete/over-write for global 599 users to be disabled by default 600 in bftpd.conf. 601 - Added the XFER_DELAY option to 602 the bftpd.conf file. This allows 603 the admin to set a time delay 604 between data transfer bursts. 605 This aid in bandwidth throttling. 606 Please see bftpd.conf for more 607 details on this feature. 608 - Added more re-read options 609 when catching signal SIGHUP. 610 The re-readable options are now: 611 HELLO_STRING, QUIT_MSG, XFERBUFSIZE, 612 DATA_TIMEOUT, CONTROL_TIMEOUT, 613 USERLIMIT_GLOBAL, USERLIMIT_SINGLEUSER, 614 USERLIMIT_HOST, DENY_LOGIN and XFER_DELAY. 615 616Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.1.2 617 - Program now catches signal SIGHUP. 618 - When bftpd catches the SIGHUP (hang up) 619 it re-reads the config file. It looks 620 for some config values, but not all. 621 At this time, the values which are 622 re-read are: 623 HELLO_STRING, QUIT_MSG and XFERBUFSIZE 624 625Jesse Smith <jessefrgsmith@yahoo.ca> -> 1.1.1 626 - Added rpm spec file to redhat directory. 627 - Changed numeric string length (512) to a defined 628 string length (MAXCMD). Makes code more 629 compatible with main.c and uses less stack 630 memory. File changed: commands.c 631 - When receiving files, the transfer buffer 632 (XFER_BUFSIZE) is divided by the number of 633 connected clients. This should prevent bandwidth 634 being sucked back by multiple connections. 635 - Minor fixes, checking for malloc errors, 636 freeing memory and closing sockets. 637 File changed: commands.c 638 - When sending files, the transfer buffer 639 (XFER_BUFSIZE) is divided by the number 640 of connected clients. This should prevent 641 bandwidth being taken over by multiple connections. 642 - Changed Makefile so bftpd.8 gets installed as 643 a manual page in the proper location. 644 Also updated rpm spec file to include man page. 645 646 647Jesse Smith <slicer69@hotmail.com> -> 1.1.0 648 - Changed some bftpdutmp_log(0) lines to 649 calls to bftpdutmp_end(). This should be safer. 650 - Made sure that clients cannot write or append 651 to files if the "delete" command is disabled. I 652 think if they cannot delete the file they shouldn't 653 be allowed to truncate it to zero bytes either. 654 - Added reason for login failure to log file. 655 - Removed logging of getting user count from 656 temp file. Just seems to be taking up space. 657 658Jesse Smith <slicer69@hotmail.com> -> 1.0.24-2 659 - Added ability to block multiple connections from the 660 same IP address. This will keep download managers and 661 Internet Explorer from taking up multiple connections. 662 See the new option USERLIMIT_HOST in bftpd.conf. 663 - Made sure that bftpd logs out stale control connections 664 via added calls to bftpdutmp_log(0). 665 - Added alarm() calls before trying to read from 666 the control socket. We shouldn't assume we are going to 667 get anything. 668 669Jesse Smith <slicer69@hotmail.com> -> 1.0.24-1 670 - Fixed bug with NLIST command. The bftpd server should not be 671 sending leading path in front of filename when using NLIST. 672 File(s) affected: dirlist.c 673 - Added the MGET command. Allows client to receive multiple files 674 with one command. 675 File(s) affected: commands.c 676 - Added the MPUT command. Allows client to send multiple files 677 to the server with one command. 678 File(s) affected: commands.c 679 680Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.24 681 - The PATH_BFTPDUTMP configuration option was added (idea by Szabo Peter 682 <pts@math.bme.hu>). 683 - Whenever a data connection is established, the reply message now 684 contains the transfer mode (idea by Szabo Peter). 685 - The -D, -h and -n command line options have been added (idea by Szabo 686 Peter). Some code was changed to support operation without a configuration 687 file. 688 - ATTENTION! The option LOGFILE has changed. See sample config file. 689 - In daemon mode, bftpd closes its sockets correctly now (important if you 690 have a lot of connections), problem discovered by Olivier Kaloudoff. 691 - Fixed a bug that prevented Mozilla from getting directory lists (found 692 by Marc Pauls). 693 - Daniel Mack fixed a memory leak in his code. 694 - The configuration parser handles comments better now. 695 - The USERLIMIT_GLOBAL configuration option has been added. 696 - The USERLIMIT_SINGLEUSER configuration option has been added. 697 - Some memory leaks discovered by David Heine <dlheine@suif.stanford.edu> 698 were fixed. 699 700Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.23 701 - A serious file corruption bug using sendfile was fixed. 702 - A makefile bug was fixed. 703 - The AUTO_CHDIR and HIDE_GROUP configuration options were added. 704 - A bug in the RNFR and RNTO functions has been fixed. 705 - A bug occurring when compiling on StrongARM has been fixed. 706 - The config file has been made more tolerant to missing spaces (error 707 reported by Saus101 <Saus101@prime.gushi.org>). 708 - A bug in the HELP function was fixed. 709 - Two BSD incompatibilities have been fixed. 710 - A STAT bug was fixed. 711 - bftpd now follows symlinks. 712 - A bug in the daemonmode code was fixed. 713 714Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.22 715 - The ALLOW_FXP configuration option has been added. 716 - The DATA_TIMEOUT configuration option has been added. 717 - The PASSIVE_PORTS configuration option has been added. 718 - A control timeout bug has been fixed. 719 - Configuration options are now written like name="value", allowing 720 comments after the option. Directories are written like 721 directory "/foo/bar" {. Please update your config files! 722 - bftpdutmp logging has been implemented as well as some administration 723 functions using it. Read the updated documentation for details on how 724 to use them. 725 - You needn't link gzip statically to bftpd any more if you want on-the-fly 726 compression, but you can dynamically link against zlib instead now. 727 The pax sources are still needed for tar on-the-fly. 728 - A directory listing bug reported by Hendrik Harms 729 <hendrik.harms@bigfoot.de> has been fixed. 730 731Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.21 732 - The XFER_BUFSIZE configuration option has been added, allowing tweaking 733 of data throughput. If you and your clients are on a very fast network 734 (fast meaning 100 Mbit/s or more), you should set this to 64000 or 735 something like that. 736 - The APPE command has been implemented. 737 - The ALLO command has been implemented as an alias to NOOP. 738 - The INITAL_CHROOT configuration option has been added. See the new 739 example config file for details. 740 - The ability to disable logging has been added :) 741 - A bug making file transmissions impossible with old config files has 742 been fixed. 743 - A bug concerning file truncating when STORing has been fixed. 744 745Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.20 746 - The FEAT function has been implemented. 747 - A permission bug in the STOR function has been fixed. 748 - The UMASK configuration option can now be used directory-specifically. 749 - The EPSV and EPRT functions have been implemented, making IPv6 support 750 possible somewhere in the future. 751 752Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.19 753 - The NLST function has been made usable again. There has been an 754 unnoticed bug in it since the globbing function has been implemented. 755 - The XCWD, XCUP, XMKD, XRMD and XPWD functions have been implemented 756 as aliases to CWD, CDUP, MKD, RMD and PWD. 757 - The documentation is now in the SGML format, making it more extensible, 758 hopefully. 759 - The DATAPORT20 configuration option has been added. If set to yes, 760 the server will open data connections from port 20, which should make 761 firewall users happier. 762 763Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.18 764 - The configuration file has been restructured. See README for details. 765 - The PORT configuration option has been added, allowing you to change 766 the port number the daemon should listen on (only for daemon mode). 767 - A workaround for the /*/../* vulnerability mentioned on Bugtraq has 768 been added, although it's not the right thing to do, really. 769 - Compatibility to Solaris 8 has been improved. Josh Woodcock 770 <josh@hamparts.com> and Michael Smirnov <smb@mh.vstu.edu.ru> gave 771 some hints. 772 - The CONTROL_TIMEOUT configuration option has been added. You can now 773 say after how many seconds of idle time users should be kicked. 774 - Hashes (#) in /etc/passwd and /etc/group are now supported as comments. 775 This improves FreeBSD compatibility, I'm not sure about other systems. 776 777Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.17 778 - A globbing bug was fixed, making Midnight Commander able to connect 779 to bftpd. 780 - A bug which appeared when doing LIST if a group line in /etc/group 781 had more than 256 characters was fixed. 782 - /etc/shells and /etc/ftpusers authentication were implemented by 783 Christophe Bailleux. 784 - You can now indent your configuration options with tabulators. 785 - A small problem with the ip_conntrack_ftp kernel module has been fixed, 786 which was the fault of ip_conntrack_ftp. It was found by Erik Hensema 787 <erik@hensema.xs4all.nl>. 788 - ASCII transfer mode has been implemented. 789 - You can now prevent a user from executing specific commands by using 790 the ALLOWCOMMAND_XXXX=no option. 791 792Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.16 793 - .tar and .gz on-the-fly support has been implemented. Look in the 794 README file if you want to do that. 795 - Supplementary group IDs are now initialized correctly. 796 - PORT commands now check if the supplied IP address really belongs 797 to the client, so that an attacker can't make the server connect 798 to a machine in its LAN. 799 - A bug making the wtmp logging system unusable under BSD systems was 800 fixed. 801 - A bug making the server crash when logging in a non-existent user 802 with ANONYMOUS_USER enabled was fixed. 803 - A patch supplied by Christophe Bailleux was applied, changing the 804 following: 805 - Spaces after a command in each command string are removed. 806 - The HELP command was implemented. 807 - CWD to ~ now works. 808 809Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.15 810 - You can override the default path to the config file with the command 811 line parameter '-c'. 812 - wtmp logging was implemented, so that bftpd logins show up in 813 commands like 'last'. 814 - You can have bftpd bind to only one interface, for example, if you 815 want to run an FTP proxy server on the same port on another network 816 interface. 817 - The LIST and NLST commands now support globbing. 818 - A security problem in the syslog code was fixed. 819 820Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.14 821 - A lot of bugs found by Christophe Bailleux <cb@grolier.fr> have been 822 fixed, as always. 823 - bftpd can now cope with special characters, such as umlauts. 824 - SITE commands are now disabled by default. 825 - A bug preventing resolution of GIDs on some systems has been fixed. 826 - Debian packages are now built for every new version. 827 - You can now specify if any password should fit for a particular user, 828 so that you don't have to set a user's password to nothing 829 (security). 830 - You can now turn off chroot() for particular users. 831 832Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.13 833 - David L. Nicol <david@kasey.umkc.edu> tested bftpd on Tru64. 834 He also improved the character filtering routine. 835 - Some RFC incompliance was fixed, improving compatibility with 836 FTPExplorer and LeechFTP. 837 - The SIZE command was implemented. 838 - A bug making the server segfault when being killed was fixed. 839 - A buffer overflow bug found by asynchro <asynchro@pkcrew.org>, 840 Jonathan Heusser <jonathanheusser@gyml.unibas.ch> and Christophe 841 Bailleux <cb@grolier.fr> was fixed. 842 - The SITE CHMOD and SITE CHOWN commands were implemented. You can turn 843 them off in the config file. 844 - A lot of useful changes proposed by Heiko Rother <rother@cmsnet.de> 845 were made: 846 - Standalone mode, independent from inetd 847 - Better support for symbolic links 848 - Display of user/group name instead of UID/GID 849 - Ability to set the umask 850 - Ability to log into syslog 851 852Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.12 853 - SmartFTP support was improved (parameters to LIST beginning with - 854 are discarded). 855 - A buffer overflow bug found by Christophe Bailleux <cb@grolier.fr> 856 was fixed. 857 858Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.11 859 - PAM support was implemented. Specify --enable-pam while starting 860 configure to use it. 861 - You can now specify users who should be unable to log in. 862 863Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.10 864 - Applied a big patch from Daniel Mack that makes some things better, 865 for example virtual host support, a FreeBSD correction for the 866 directory listings, etc. 867 - The MDTM command was implemented. 868 869Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.9 870 - Fixed another bug preventing successful running on Solaris. 871 - Implemented "message of the day". 872 - Fixed an evil bug in string substitution. 873 - Fixed a bug causing the server to crash when listing an empty 874 directory. 875 - The NLST command was implemented. 876 877Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.8 878 - Fixed a bug that caused StarOffice not to work. 879 - Removed the use of a non-Posix function that prevented compiling 880 on Solaris. 881 - Implemented an option to let root have / as his home directory 882 independent of his real one. 883 884Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.7 885 - The PASV command was implemented. 886 887Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.6 888 - bftpd also compiles on FreeBSD and Solaris. 889 - Aliases for users can be set. 890 - Error messages are now printed correctly. 891 - "In bftpd.conf you can define if you want bftpd to use /etc/shadow" 892 was removed again because it was stupid. 893 - Ratio was added. 894 895Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.5 896 - ls-independant directory listing was implemented. You don't need 897 special directories or files in your home directory any longer. 898 - Compiling works with configure for portability reasons now. 899 - bftpd also compiles on BSD/OS and DG-UX. 900 - The name of the log file can now be set in bftpd.conf. 901 - The RMD command was implemented. 902 - Internet Explorer and Netscape compatibility was improved. 903 - The REST command was implemented. 904 - The ABOR command was implemented (but with very stupid code!). 905 - In bftpd.conf you can define if you want bftpd to use /etc/shadow. 906 907Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.4 908 - Logging was implemented. 909 - A wrong error number for 'Permission denied' was fixed. 910 911Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.3 912 - A config file and two options have been implemented: You can 913 disable the server and you can disable .ftp. 914 915Max-Wilhelm Bruker <brukie@gmx.net> -> 1.0.2 916 - It is now checked if .ftp is a symbolic link so that users don't 917 link .ftp to /. 918