Vulnarable version of proftpd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
proftpd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
proftpd-dfsg (Debian) |
Fix Released
|
Unknown
|
Bug Description
Binary package hint: proftpd
ProFTPD has been released on 29.10.2010 with version 1.3.3c. The version in use on Ubuntu 10.04 is 1.3.2c and vulnerable.
http://
Please update.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, ProFTPD community. The ProFTPD Project team is pleased to announce
that the third maintenance release for ProFTPD 1.3.3 is now available for
public consumption.
You can download 1.3.3c, including PGP signatures and MD5 sums, from any
of the proftpd mirrors. Mirrors are available via FTP as:
ftp.<
(example: ftp.nl.
you should select one that is geographically close to you.
Alternatively, you can download proftpd from the main site:
ftp://ftp.
RPMs, once available, will be placed here:
ftp://ftp.
The 1.3.3c release is a security release. It contains fixes for the
Telnet IAC stack overflow vulnerability (ZDI-CAN-925) and for the
mod_site_misc module directory traversal vulnerability.
The Telnet IAC stack overflow vulnerability (Bug#3521) has no known
workarounds. It affects FTP and FTPS (FTP over SSL/TLS) connections,
but does not affect SFTP/SCP connections.
The mod_site_misc module directory traveral vulnerability (Bug#3519)
applies to sites which use the mod_site_misc module. To prevent
clients from exploiting this vulnerability while a fix is being
deployed, the following can be used in the proftpd.conf file:
<Limit SITE_MKDIR SITE_RMDIR SITE_SYMLINK SITE_UTIME>
DenyAll
</Limit>
Sites are urged to upgrade to proftpd-1.3.3c or later as soon as
possible.
Please read the included NEWS, RELEASE_NOTES, and ChangeLog files for
the full details.
The MD5 sums for the source tarballs are:
8571bd78874b5
4f2c554d6273b
The PGP signatures for the source tarballs are:
proftpd-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAY
83gAoPHBrjT
=aLli
-----END PGP SIGNATURE-----
proftpd-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAY
pO8Anj+
=e8el
-----END PGP SIGNATURE-----
My PGP key has been used to sign the source tarballs as well as this
announcement; it is available via MIT's public keyserver.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkz
5VQAoITat0nkFaP
=M2BF
-----END PGP SIGNATURE-----
Changed in proftpd-dfsg (Debian): | |
status: | Unknown → Fix Released |
Changed in proftpd (Ubuntu): | |
status: | New → Fix Released |
Hey... So anyone paying any attention to their bug queue at all? This is a pretty major bug guys.