Argus (unfounded?) security concern

[Carter Bullard]

Hey Karl,
   Your right we should be more careful.  We use
to sign and seal the distribution, but with the
last one we've gotten a bit sloppy.  I'll try
to get at least an MD5 checksum for 1.8.1 on the
cmu web site so we can get some assurances.  But
with the holiday, it will take a while to get it
there.

   A couple of the guys on the mailing list have
an interest in the CMU ftp server, so hopefully
they will check our your concerns.

Thanks!!!!

Carter

-----Original Message-----
From: Karl Hanmore [mailto:avatar at ultra.ultra.net.au]
Sent: Wednesday, August 30, 2000 7:05 PM
To: Carter Bullard
Subject: Argus (unfounded?) security concern


Good Day Carter,

Firstly, let me say I think your product is absolutely fantastic.  I have
only used it briefly on my home network at this point (if only I could get
it to work on a tun interface :), but was very impressed with what I have
seen.

I am looking at perhaps using it on a small scale on our 10 PC office
network, however, I have some concern about the distribution site.  I am
led to belive that "andrew" is the primary distribution site?  Because I
am a security paranoid (and in the absence of md5 or pgp sigs for the
argus tarball) I looked at the version of the ftp server software on
andrew.  It would appear that it is an older version of uw-ftp, which is
remote root exploitable.  Of course, they may have patched against this,
or I may be mistaken about the vunerability.

I just found it of concern that someone could possibly compromise the
integrety of your very good program.

Kind Regards,
Karl Hanmore
Technical Manager
Ultranet