Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
On 3/29/02 3:40 PM martin f krafft said...
>dear bugtraq'ers,
>
>i must confess that the information i provided wrt the acclaimed DoS
>exploit in Debian potato's proftpd package (1.2.0pre10-2.0potato1) was
>not fully accurate. the package *does in fact contain a buggy daemon*
>despite having been fixed, according to the changelog:
>
> proftpd (1.2.0pre10-2.0potato1) stable; urgency=high
<snip>
>i don't think it's necessary to discuss this; the daemon as packaged
>by debian is buggy and that has to be fixed. but i hope i was able to
>give you some more information on the extent of the exploit. i will
>do my best to push a fixed package into the APT archive at
>security.debian.org as soon as possible.
Plus 1.2.0 went final back in January 2001. It's been out for over a
year. Many versions without this bug have been released for some time.
I don't see any reason to beat a dead horse. Any distribution that still
ships anything older than 1.2.4 should simply make 1.2.4 available in the
updates or errata.
--
Justin Shore, ES-SS ES-SSR Pittsburg State University
Network & Systems Manager Kelce 157Q
Office of Information Systems Pittsburg, KS 66762
Voice: (620) 235-4606 Fax: (620) 235-4545
http://www.pittstate.edu/ois/
Warning: This message has been quadruple Rot13'ed for your protection.
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: