Re: Proftpd and bug #319849

To: debian-security@lists.debian.org
Subject: Re: Proftpd and bug #319849
From: Christophe Chisogne <christophe@publicityweb.com>
Date: Fri, 12 Aug 2005 10:05:22 +0200
Message-id: <[🔎] 42FC5842.3010804@publicityweb.com>
In-reply-to: <[🔎] m3u0hwbt8w.fsf@neo.luffy.cx>
References: <[🔎] m3u0hwbt8w.fsf@neo.luffy.cx>

Vincent Bernat a écrit :
> proftpd in Sarge  is vulnerable to a format  string vulnerability. The
> corresponding  bug  is marked  as  fixed  in  1.2.10-20 and  found  in
> 1.2.10-15  (which is  the Sarge  version). This  means that  the Sarge
> version is still vulnerable. 

Indeed, sarge proftpd (1.2.10-15) is vulnerable to the 2 recent
format string vulnerabilities [1,2],
but testing proftpd (1.2.10-20) is not not [3]

[1] SQLShowInfo format string vulnerability
    http://bugs.proftpd.org/show_bug.cgi?id=2645

[2] ftpshut format string vulnerability
    http://bugs.proftpd.org/show_bug.cgi?id=2646

[3] Debian Changelog proftpd (1.2.10-20)
    http://packages.debian.org/changelogs/pool/main/p/proftpd/proftpd_1.2.10-20/changelog

> However, the bug is closed and not tagged security.

I guess it's a mistake, even for low-risk vulnerabilities

> Should this  bug be reopened and  tagged security ?

vote: +1

> Will a new upload by handled by security team shortly ?

I hope so.

Ch.

Reply to:

References:
- Proftpd and bug #319849
  - From: Vincent Bernat <bernat@luffy.cx>

Prev by Date: Re: [SECURITY] [DSA 773-1] New amd64 packages fix several bugs
Next by Date: apache2 forwarding emails
Previous by thread: Proftpd and bug #319849
Next by thread: Re: New amd64 packages fix several bugs
Index(es):
- Date
- Thread