proftpd sql injection
Bug #508738 reported by
Jan Hagemeyer
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
proftpd-dfsg (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Jaunty |
Fix Released
|
High
|
Unassigned | ||
Lucid |
Fix Released
|
High
|
Unassigned |
Bug Description
Binary package hint: proftpd
Description: Ubuntu 9.04
Release: 9.04
affected package:
proftpd 1.3.1-17ubuntu1
If you are using mysql based authentication ( proftpd-mod-mysql ) it is possible to login with any of the virtual users without knowing the password.
I will report detailed information to the security team if it's needed.
It seems that this issue has already been fixed in debian 1.3.1-17lenny4.
Related branches
summary: |
- sql injection + proftpd sql injection |
affects: | proftpd (Ubuntu) → proftpd-dfsg (Ubuntu) |
Changed in proftpd-dfsg (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Jan Hagemeyer (janhg) |
visibility: | private → public |
To post a comment you must log in.
Thanks for the debdiff! Unfortunately the patch does not follow the procedure listed in https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res#Preparing% 20an%20update, specifically https:/ /wiki.ubuntu. com/SecurityTea m/UpdatePrepara tion#Packaging.
A quick glance at the debdiff shows that: /wiki.ubuntu. com/UbuntuDevel opment/ PatchTaggingGui delines
1. the pocket is not set to jaunty-security
2. the version used is incorrect
3. the changelog does not contain enough information
4. the patches don't follow https:/
Marking as Incomplete, assigning the submitter and unsubscribing ubuntu- security- sponsors. Jan, can you review the packaging procedures and update your debdiff accordingly? When you attach your new debdiff, please resubscribe ubuntu- security- sponsors. Thanks!