Re: Proftpd and bug #319849
Vincent Bernat a écrit :
> proftpd in Sarge is vulnerable to a format string vulnerability. The
> corresponding bug is marked as fixed in 1.2.10-20 and found in
> 1.2.10-15 (which is the Sarge version). This means that the Sarge
> version is still vulnerable.
Indeed, sarge proftpd (1.2.10-15) is vulnerable to the 2 recent
format string vulnerabilities [1,2],
but testing proftpd (1.2.10-20) is not not [3]
[1] SQLShowInfo format string vulnerability
http://bugs.proftpd.org/show_bug.cgi?id=2645
[2] ftpshut format string vulnerability
http://bugs.proftpd.org/show_bug.cgi?id=2646
[3] Debian Changelog proftpd (1.2.10-20)
http://packages.debian.org/changelogs/pool/main/p/proftpd/proftpd_1.2.10-20/changelog
> However, the bug is closed and not tagged security.
I guess it's a mistake, even for low-risk vulnerabilities
> Should this bug be reopened and tagged security ?
vote: +1
> Will a new upload by handled by security team shortly ?
I hope so.
Ch.
Reply to: