Re: [SECURITY] [DLA 2115-1] proftpd-dfsg security update
Hi Chris,
On Fri, Feb 21, 2020 at 12:32:12PM -0800, Chris Lamb wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Package : proftpd-dfsg
> Version : 1.3.5e+r1.3.5-2+deb8u6
> CVE ID : CVE-2020-9273
>
> It was discovered that there was a a use-after-free vulnerability in
> in the proftpd-dfsg FTP server.
>
> Exploitation of this vulnerability within the memory pool handling
> could have allowed a remote attacker to execute arbitrary code on the
> affected system.
>
> For Debian 8 "Jessie", this issue has been fixed in proftpd-dfsg version
> 1.3.5e+r1.3.5-2+deb8u6.
Heads-up on this proftpd-dfsg update. This would need a (functional)
regression update, as upstream noticed a problem with the initial
commit (and it regressed a use-case with LogFormat functionality).
See: https://bugs.debian.org/952557
Regards,
Salvatore
Reply to: