Re: proftpd oldstable/stable update for CVE-2007-2165
On Tue, Jan 01, 2008 at 07:16:53PM +0100, Nico Golde wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for proftpd some time ago.
> | The Auth API in ProFTPD before 20070417, when multiple simultaneous
> | authentication modules are configured, does not require that the
> | module that checks authentication is the same as the module that
> | retrieves authentication data, which might allow remote attackers to
> | bypass authentication, as demonstrated by use of SQLAuthTypes
> | Plaintext in mod_sql, with data retrieved from /etc/passwd.
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian
> oldstable/stable. It does
> not warrant a DSA.
> However it would be nice if this could get fixed via a regular point update.
> Please contact the release team for this.
> This is an automatically generated mail, in case you are already working on an
> upgrade this is of course pointless.
> You can see the status of this vulnerability on:
> For further information:
>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2165
>  http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload-stable
> Kind regards
Yes, indeed I pointed that months ago to secteam without so much
interest due to the nature of the issue I think. I can prepare
a new version for a point release anyway starting from 1.2.10-22,
and limiting the changes to a specific patch. Maybe I should have
a sec update of the time somewhere, too...
Francesco P. Lovergine