A few minor compiler warnings have also been cleared up to make building with GCC smoother. Thanks to Zhang and Martin for reporting bugs and suggesting fixes.
The other bug concerns files which are really named pipes. If a named pipe is in a directory performing a directory listing would cause the connection to hang. This has been fixed so named pipes are handled properly.
Thanks to Martin for reporting these problems and for helping to test the fixes.
Thanks to Tony for both reporting the bug and supplying a patch to correct the issue.
A new option has been added to the Bftpd configuration file (bftpd.conf) called TIMEZONE_FIX. By default Bftpd tries to find its own time zone data. However, setting TIMEZONE_FIX="no" will cause Bftpd to hand time zone handling back to the C library.
ProFTPd bug. This new release of Bftpd, version 3.3, includes a work around to calculate the current time zone prior to entering the chroot environment.
If you are running Bftpd, please check your configuration file (typically /etc/bftpd.conf) and look at the section near the bottom regarding the FTP user. Either DENY_LOGIN should be set or ROOTDIR should point to a safe location where a remote user cannot do harm to the rest of the system. At this time a fix in the form of Bftpd-3.1 is being uploaded which locks down the anonymous account.
Also, in an effort to avoid leaving people in the dark, we are setting up a security mailing list. This list will be used only to annouce new releases and security warnings. If you would like to subscribe to the mailing list, please get in touch with us via our Contact page.
This new release, 3.0, contains our
corrected documentation and the new Slovak documentation.
There were no code changes between 2.9 and 3.0.
Dusan kindly submitted a translation of the Bftpd documentation in the Slovak language. You can find a copy of the new pages on the Documents page. The next source releaseof Bftpd will also include the new translation.
Updated the documentation on the website to fix broken links. The documentation now includes a section on configuration options. Thanks to Xiang for pointing out the page was missing.
A bug was found in the way bftpd handles anonymous logins. When an anonymous user connects, the ROOTDIR option in the configuration file was was being ignored. The new release, 2.9, corrects this problem. Thanks to Paul Laufer for reporting this issue.
This release also fixes an issue where the bftpd log file would get erased on Ubuntu during a reboot of the system.
I am happy to annouce that, with the help of PC-BSD founder, Kris Moore, we're now able to offer one-click install files for PC-BSD users. The PBI package can be found
here. Please test it and let us know how it works. All going
well we hope to see Bftpd offered through PC-BSD's package manager soon. For
those of you on FreeBSD, the bftpd server is offered through their Ports collection.
The 2.8 release brings a lot of improvements and bug fixes to Bftpd.
There were some cases where the user config options might not be read properly, depending on how Bftpd was compiled. This has been fixed so options should always be read.
Anonymous logins have been fixed. This broke a few releases back and it's been corrected. We have also disabled anonymous logins by default. You can allow anonymous logins in the configuration file.
If several Bftpd sessions all die at once, the system will now clean up the zombie processes.
The "list" command now recognizes the "-a" paramater, allowing clients to see hidden files. This function only works if the administrator has turned on the configuration file option SHOW_HIDDEN_FILES.
The search function has been updated, allowing users to see symbolic links, even if those links are broken. For this feature to work, the configuration file option SHOW_NONREADABLE_FILES must be turned on.
Many thanks to Raster who contributed most of the improvements for this release. Also thanks to Oliver Metz for reporting bugs.
In short, we've fixed a few things, tried to make the system more secure out of the box and added some optional functionality. Please see the contact page if you would like to report a problem.
This release, 2.7, fixes an issue where an FTP client would attempt to delete a directory on the server. The server would previously send back the same error regardless if the directory was full or if the client did now have permission to delete it. This would confuse some clients. Thanks to Raster for providing this patch.
This release also clears up some complier warnings from gcc 4.4.1.
This release of version 2.6 fixes a few minor bugs with
the bandwidth logging feature introduced in 2.5. Primarily
it makes sure bandwidth is logged even if the client does
not disconnect cleanly.
This release, version 2.5, contains two new features. It
improves UTF-8 support with programs such as Filezilla. The
server also provides the option to log bandwidth usage on
a per user basis. The option to enable bandwidth logging is
called BANDWIDTH and can be found in the bftpd config file.
The README file has also been updated to include a few
awk scripts to assist with getting data from the
This release, version 2.4, fixes one security bug
which could have
led to a denial of service attack. Administrators are advised
to upgrade at their eariliest convenience.
Many thanks to Dazhi for reporting this issue.
Since no new bugs were reported from the development release, I'm going to repackage Bftpd as a stable release. This is the same code as bftpd-2.2.1, so those of you who follow the development packages have no need to upgrade. For people who stick to stable releases, this is for you.
This development release is to test a small patch, provided by Ivan, which prevents problems when bftpd is launched by some daemon processes. I forsee no problems, but I'm putting this out as a development release for now.
Daniel Zilli was kind enough to volunteer to redesign the Bftpd website. I'm very happy with this change and I hope that our visitors feel the same.
This release brings one small change over the previous development releases. Bftpd will not close connections when a client sends an incorrect username/password combination. Connections are closed if the server is full or the system is configured to deny logins.
This update introduces a few small, handy features to bftpd. The first is that bftpd prompts for a password, even if the user is logging in as anonymous. This is to increase compatibility with various web browsers that expect the prompt.
The second change is that the User's MOTD varible in bftpd's config file can use two symbols (%u and %h) to represent the user's username and home directory.
A new option was added to the config file called SHOW_NONREADABLE_FILES which toggels whether files which cannot be read are listed to the client.
Some work was done to make bftpd's string handling more secure, sepcifically in the replace() function.
Many thanks to Eric Woltermann who provided patches and much assistance in driving this release forward.