Ubuntu
proftpd-dfsg package

vulnerable to CVE-2007-2165

  1. Feisty (7.04)
  2. Bug #132161
Bug #132161 reported by fago
260
Affects Status Importance Assigned to Milestone
proftpd (Debian)
Fix Released
Unknown
proftpd (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Invalid
Undecided
Unassigned
Gutsy
Invalid
Undecided
Unassigned
proftpd-dfsg (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Edgy
Invalid
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: proftpd

http://secunia.com/cve_reference/CVE-2007-2165/

I was able to reproduce the problem with feisty's proftpd package.

This problem may even lead to remote code injection:
http://blog.syscp.org/archives/58-Security-warning-Possible-remote-code-injection-when-using-Debian-SargeEtch.html

Which is already used by attackers:
(sry, german) http://forum.hetzner.de/wbb2/thread.php?threadid=9278

CVE References

Revision history for this message
Hippu (teemu-heinamaki) wrote :

Changing to confirmed since this is reported in debian and upstream.

Changed in proftpd:
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in proftpd:
status: Unknown → Fix Released
Revision history for this message
William Grant (wgrant) wrote :

LP's release targetting mechanism is braindead. Business as usual.

Changed in proftpd:
status: Confirmed → Invalid
status: New → Invalid
status: New → Invalid
Changed in proftpd-dfsg:
status: New → Invalid
status: New → Invalid
Revision history for this message
William Grant (wgrant) wrote :

Fixed in 1.3.0-22, which is in Gutsy.

Changed in proftpd-dfsg:
status: New → Fix Released
status: New → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in proftpd:
status: New → Won't Fix
Revision history for this message
LumpyCustard (orangelumpycustard) wrote :

Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs.

Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in proftpd-dfsg:
status: New → Won't Fix
Revision history for this message
rusivi2 (rusivi2-deactivatedaccount) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Regarding Dapper, please execute the following command, as it will automatically gather debugging information, in a terminal:
apport-collect BUGNUMBER
When reporting bugs in the future please use apport, using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

Changed in proftpd (Ubuntu Dapper):
status: New → Incomplete
Revision history for this message
Scott Kitterman (kitterman) wrote :

This is a nonsense request. There is no apport in dapper.

Changed in proftpd (Ubuntu Dapper):
status: Incomplete → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in proftpd (Ubuntu Dapper):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.