Proposed update to proftpd for stable

To: debian-release@lists.debian.org
Subject: Proposed update to proftpd for stable
From: "Francesco P. Lovergine" <frankie@debian.org>
Date: Wed, 24 Aug 2005 14:53:31 +0200
Message-id: <[🔎] 20050824125331.GJ14885@ba.issia.cnr.it>

Hi all

Due to pressure by users about those issues, i would prepare a
proposed-updates version proftpd-1.2.10-15sarge1 which includes the
following important fixes:

   * SECURITY: Managing SQLShowInfo format string vulnerability.
     See  http://bugs.proftpd.org/show_bug.cgi?id=2645 for information.
     Related patch is 31.mod_sql.c.diff.
   * SECURITY: Managing ftpshut format string vulnerability.
     See http://bugs.proftpd.org/show_bug.cgi?id=2646 for information.
     Related patch is 30.response.c.diff.
   * New modification to mod_delay to avoid other problem with that module
     which could cause memory corruption/leakage on heavy-loaded boxes (signal 11
     and DoS). Tests show that this would correct also CPU hogging seen on 
     heavy-loaded boxes (see alioth from time to time). I would classify grave
     this issue. See: #308313, #301275 for information.

PS:

Both the first two have been reported to secteam since almost 2 months. It would 
be nice having a feedback (or at least any answer also saying "you moron, shut up"), 
one day or another from them :-/ I'm perfectly happy to distribute fixed versions
via people.d.o, but it seems a bit annoying to say every week or two to someone: "please, 
don't use -15, use -20 instead, thanks".

-- 
Francesco P. Lovergine

Reply to:

Prev by Date: Re: Please allow zlib_tpu into testing
Next by Date: Re: Bug#320145: libswt-gtk3-jni: package does not exist for ppc
Previous by thread: Re: Please allow zlib_tpu into testing
Next by thread: Re: Bug#320145: libswt-gtk3-jni: package does not exist for ppc
Index(es):
- Date
- Thread