[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: proftpd oldstable/stable update for CVE-2007-2165'

Francesco P. Lovergine wrote:
> On Fri, Jan 04, 2008 at 07:13:54PM +0100, Luk Claes wrote:
>>>> CVE-2007-2165[0]:
>>>> | The Auth API in ProFTPD before 20070417, when multiple simultaneous
>>>> | authentication modules are configured, does not require that the
>>>> | module that checks authentication is the same as the module that
>>>> | retrieves authentication data, which might allow remote attackers to
>>>> | bypass authentication, as demonstrated by use of SQLAuthTypes
>>>> | Plaintext in mod_sql, with data retrieved from /etc/passwd.
>>>>
>>>>
> 
> [...]
> 
>>> Yes, indeed I pointed that months ago to secteam without so much
>>> interest due to the nature of the issue I think. I can prepare
>>> a new version for a point release anyway starting from 1.2.10-22,
>>> and limiting the changes to a specific patch. Maybe I should have
>>> a sec update of the time somewhere, too...
>> Please send a diff. Thanks already.
>>
>> Cheers
>>
>> Luk
>>
>>
> 
> Here you are.

Please upload.

Cheers

Luk
Reply to: