[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Proposed update to proftpd for stable

Hi all

Due to pressure by users about those issues, i would prepare a
proposed-updates version proftpd-1.2.10-15sarge1 which includes the
following important fixes:

   * SECURITY: Managing SQLShowInfo format string vulnerability.
     See  http://bugs.proftpd.org/show_bug.cgi?id=2645 for information.
     Related patch is 31.mod_sql.c.diff.
   * SECURITY: Managing ftpshut format string vulnerability.
     See http://bugs.proftpd.org/show_bug.cgi?id=2646 for information.
     Related patch is 30.response.c.diff.
   * New modification to mod_delay to avoid other problem with that module
     which could cause memory corruption/leakage on heavy-loaded boxes (signal 11
     and DoS). Tests show that this would correct also CPU hogging seen on 
     heavy-loaded boxes (see alioth from time to time). I would classify grave
     this issue. See: #308313, #301275 for information.


Both the first two have been reported to secteam since almost 2 months. It would 
be nice having a feedback (or at least any answer also saying "you moron, shut up"), 
one day or another from them :-/ I'm perfectly happy to distribute fixed versions
via people.d.o, but it seems a bit annoying to say every week or two to someone: "please, 
don't use -15, use -20 instead, thanks".

Francesco P. Lovergine

Reply to: