Re: proftpd oldstable/stable update for CVE-2007-2165
Francesco P. Lovergine wrote:
> On Tue, Jan 01, 2008 at 07:16:53PM +0100, Nico Golde wrote:
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for proftpd some time ago.
>>
>> CVE-2007-2165[0]:
>> | The Auth API in ProFTPD before 20070417, when multiple simultaneous
>> | authentication modules are configured, does not require that the
>> | module that checks authentication is the same as the module that
>> | retrieves authentication data, which might allow remote attackers to
>> | bypass authentication, as demonstrated by use of SQLAuthTypes
>> | Plaintext in mod_sql, with data retrieved from /etc/passwd.
>>
>> Unfortunately the vulnerability described above is not important enough
>> to get it fixed via regular security update in Debian
>> oldstable/stable. It does
>> not warrant a DSA.
>>
>> However it would be nice if this could get fixed via a regular point update[1].
>> Please contact the release team for this.
>>
>> This is an automatically generated mail, in case you are already working on an
>> upgrade this is of course pointless.
>>
>> You can see the status of this vulnerability on:
>> http://security-tracker.debian.net/tracker/CVE-2007-2165
>>
>> For further information:
>> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2165
>> [1] http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload-stable
>>
>> Kind regards
>> Nico
>>
>
> Yes, indeed I pointed that months ago to secteam without so much
> interest due to the nature of the issue I think. I can prepare
> a new version for a point release anyway starting from 1.2.10-22,
> and limiting the changes to a specific patch. Maybe I should have
> a sec update of the time somewhere, too...
Please send a diff. Thanks already.
Cheers
Luk
Reply to: