Re: proftpd oldstable/stable update for CVE-2007-2165
Francesco P. Lovergine wrote:
> On Tue, Jan 01, 2008 at 07:16:53PM +0100, Nico Golde wrote:
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for proftpd some time ago.
>> | The Auth API in ProFTPD before 20070417, when multiple simultaneous
>> | authentication modules are configured, does not require that the
>> | module that checks authentication is the same as the module that
>> | retrieves authentication data, which might allow remote attackers to
>> | bypass authentication, as demonstrated by use of SQLAuthTypes
>> | Plaintext in mod_sql, with data retrieved from /etc/passwd.
>> Unfortunately the vulnerability described above is not important enough
>> to get it fixed via regular security update in Debian
>> oldstable/stable. It does
>> not warrant a DSA.
>> However it would be nice if this could get fixed via a regular point update.
>> Please contact the release team for this.
>> This is an automatically generated mail, in case you are already working on an
>> upgrade this is of course pointless.
>> You can see the status of this vulnerability on:
>> For further information:
>>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2165
>>  http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload-stable
>> Kind regards
> Yes, indeed I pointed that months ago to secteam without so much
> interest due to the nature of the issue I think. I can prepare
> a new version for a point release anyway starting from 1.2.10-22,
> and limiting the changes to a specific patch. Maybe I should have
> a sec update of the time somewhere, too...
Please send a diff. Thanks already.