Re: [SECURITY] [DLA 2115-1] proftpd-dfsg security update

To: debian-lts@lists.debian.org
Cc: lamby@debian.org
Subject: Re: [SECURITY] [DLA 2115-1] proftpd-dfsg security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 2 Mar 2020 06:01:56 +0100
Message-id: <[🔎] 20200302050156.GA1745425@eldamar.local>
Mail-followup-to: debian-lts@lists.debian.org, lamby@debian.org
In-reply-to: <40ee77dd-66d4-44b9-9bbc-064b65d3cfc9@sloti26t01>
References: <40ee77dd-66d4-44b9-9bbc-064b65d3cfc9@sloti26t01>

Hi Chris,

On Fri, Feb 21, 2020 at 12:32:12PM -0800, Chris Lamb wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Package        : proftpd-dfsg
> Version        : 1.3.5e+r1.3.5-2+deb8u6
> CVE ID         : CVE-2020-9273
> 
> It was discovered that there was a a use-after-free vulnerability in
> in the proftpd-dfsg FTP server.
> 
> Exploitation of this vulnerability within the memory pool handling
> could have allowed a remote attacker to execute arbitrary code on the
> affected system.
> 
> For Debian 8 "Jessie", this issue has been fixed in proftpd-dfsg version
> 1.3.5e+r1.3.5-2+deb8u6.

Heads-up on this proftpd-dfsg update. This would need a (functional)
regression update, as upstream noticed a problem with the initial
commit (and it regressed a use-case with LogFormat functionality).

See: https://bugs.debian.org/952557

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 2115-1] proftpd-dfsg security update
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: Re: typo in dla-2123
Next by Date: Re: security upload imposing load on other parts of Debian
Previous by thread: Re: typo in dla-2123
Next by thread: Re: [SECURITY] [DLA 2115-1] proftpd-dfsg security update
Index(es):
- Date
- Thread