Proposed update to proftpd for stable
Due to pressure by users about those issues, i would prepare a
proposed-updates version proftpd-1.2.10-15sarge1 which includes the
following important fixes:
* SECURITY: Managing SQLShowInfo format string vulnerability.
See http://bugs.proftpd.org/show_bug.cgi?id=2645 for information.
Related patch is 31.mod_sql.c.diff.
* SECURITY: Managing ftpshut format string vulnerability.
See http://bugs.proftpd.org/show_bug.cgi?id=2646 for information.
Related patch is 30.response.c.diff.
* New modification to mod_delay to avoid other problem with that module
which could cause memory corruption/leakage on heavy-loaded boxes (signal 11
and DoS). Tests show that this would correct also CPU hogging seen on
heavy-loaded boxes (see alioth from time to time). I would classify grave
this issue. See: #308313, #301275 for information.
Both the first two have been reported to secteam since almost 2 months. It would
be nice having a feedback (or at least any answer also saying "you moron, shut up"),
one day or another from them :-/ I'm perfectly happy to distribute fixed versions
via people.d.o, but it seems a bit annoying to say every week or two to someone: "please,
don't use -15, use -20 instead, thanks".
Francesco P. Lovergine