[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: proftpd oldstable/stable update for CVE-2007-2165

On Tue, Jan 01, 2008 at 07:16:53PM +0100, Nico Golde wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for proftpd some time ago.
> CVE-2007-2165[0]:
> | The Auth API in ProFTPD before 20070417, when multiple simultaneous
> | authentication modules are configured, does not require that the
> | module that checks authentication is the same as the module that
> | retrieves authentication data, which might allow remote attackers to
> | bypass authentication, as demonstrated by use of SQLAuthTypes
> | Plaintext in mod_sql, with data retrieved from /etc/passwd.
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian 
> oldstable/stable. It does
> not warrant a DSA.
> However it would be nice if this could get fixed via a regular point update[1].
> Please contact the release team for this.
> This is an automatically generated mail, in case you are already working on an
> upgrade this is of course pointless.
> You can see the status of this vulnerability on:
> http://security-tracker.debian.net/tracker/CVE-2007-2165
> For further information:
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2165
> [1] http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload-stable
> Kind regards
> Nico

Yes, indeed I pointed that months ago to secteam without so much
interest due to the nature of the issue I think. I can prepare
a new version for a point release anyway starting from 1.2.10-22,
and limiting the changes to a specific patch. Maybe I should have
a sec update of the time somewhere, too...

Francesco P. Lovergine

Reply to: