proftpd affected by recent security hole (2004/05/12) ?
On proftpd.org front page, I read proftpd has a bug relating
to ASCII translation . Previous one  was critical
(remote root shell) but affected only proftpd 1.2.7rc1 and up.
Woody/stable has 1.2.4+1.2.5rc1, which is clearly not affected
by the previous one.
But is it affected by the new proftpd bug ?
I guess not, but would like to be certain it's safe.
[next question perhaps too much OT]
By the way, proftpd 1.2.2rc1 fixed a previous hole relating
to globs (something like 'ls */../*/../*/../'). Solution
was to add a DenyFilter (\*.*/). I heard about another vuln
(format string?) solved by DenyFilter too (%). So I used
in proftpd.conf. Is it safe not to use it with woody's proftpd ?
There are two issues which have come to our attention,
there is an additional flaw related to the ASCII translation bug
discovered by X-Force, this affects all versions up to and
including 1.2.9rc3. Versions from 1.2.9 are not vulnerable.
Additionally a flaw in the CIDRACL code has been discovered
which can lead to an escalation in access rights within the ftp site.
This flaw affects all versions up to and including 1.2.9,
it has been fixed in cvs and 1.2.10rc1.
To avoid the flaw do not use CIDR based ACLs on vulnerable versions
or use mod_wrap and /etc/hosts.allow|deny. "
"Bug: Remote Exploit in ASCII translation (...)
Version: 1.2.7rc1 and later (...)
Date: September 23, 2003 (...)
proftpd DoS (Resolved in 1.2.2rc1) like