# what version of ftpd?



## chavez243ca (Oct 21, 2009)

I use portaudit check installed ports for vulnerabilities, but a recent external vuln scan alerted on ftpd.  It could be a false positive, but I need to check.  Is there a tool for checking the security status of the base install, or a way to get the version / revision of something like ftpd?

The CVEs named are very old - 2001, but I need to make sure.


----------



## SirDice (Oct 21, 2009)

Just a few I found:

http://security.freebsd.org/advisories/FreeBSD-SA-09:01.lukemftpd.asc
http://security.freebsd.org/advisories/FreeBSD-SA-08:12.ftpd.asc

http://www.freebsd.org/security/advisories.html

What version of Freebsd are you running and which CVEs is it complaining about?

Also note that portaudit only checks installed ports, not the base system.


----------



## chavez243ca (Oct 21, 2009)

SirDice said:
			
		

> What version of Freebsd are you running and which CVEs is it complaining about?
> 
> Also note that portaudit only checks installed ports, not the base system.



my point exactly... I need something besides portaudit to check the base system.

The vuln scan is alerting on this http://security.freebsd.org/advisories/FreeBSD-SA-01:33.ftpd-glob.asc

which seems really odd - I'm on FreeBSD 7.0-RELEASE-p11 

should be fairly safe to chalk it up as a false positive


----------



## SirDice (Oct 21, 2009)

The scan probably detected you can still use * (glob()).


----------



## DutchDaemon (Oct 21, 2009)

It's safe to assume that if your system is at a higher version than the ones printed in 'Affects:' the vulnerability no longer exists.


----------



## anomie (Oct 21, 2009)

chavez243ca said:
			
		

> my point exactly... I need something besides portaudit to check the base system.



Quick side comment: if you haven't already, you might want to subscribe to freebsd-security-notifications.


----------

