Re: proftpd oldstable/stable update for CVE-2007-2165'
Francesco P. Lovergine wrote:
> On Fri, Jan 04, 2008 at 07:13:54PM +0100, Luk Claes wrote:
>>>> | The Auth API in ProFTPD before 20070417, when multiple simultaneous
>>>> | authentication modules are configured, does not require that the
>>>> | module that checks authentication is the same as the module that
>>>> | retrieves authentication data, which might allow remote attackers to
>>>> | bypass authentication, as demonstrated by use of SQLAuthTypes
>>>> | Plaintext in mod_sql, with data retrieved from /etc/passwd.
>>> Yes, indeed I pointed that months ago to secteam without so much
>>> interest due to the nature of the issue I think. I can prepare
>>> a new version for a point release anyway starting from 1.2.10-22,
>>> and limiting the changes to a specific patch. Maybe I should have
>>> a sec update of the time somewhere, too...
>> Please send a diff. Thanks already.
> Here you are.