the following is a copy from abugtraq posting: Package: proftpd Vulnerability: privilege escalation OpenPKG Specific: no Affected Packages: <= proftpd-1.2.9-20040207 <= proftpd-1.2.9-2.0.0 Description: A portability workaround was applied in version 1.2.9 of the FTP server ProFTPD [1]. As a side-effect, CIDR based (aaa.bbb.ccc.ddd/NN) ACL entries in "Allow" and "Deny" directives act like an "AllowAll" directive and so FTP clients are granted access to files and directories although the server configuration might explicitly deny this [2]. i think it would be wise to apply the patch from http://bugs.proftpd.org/show_bug.cgi?id=2267 , do a backport from version 1.2.10rc1 to current stable version or mark version 1.2.10rc1 as stable... so long rootshell Reproducible: Always Steps to Reproduce: 1. 2. 3.
Stewart, would you mind checking this one out? Apply the patch or bump to .10_rc1, your call.. otherwise security@ will do a bump.
I bumped to 1.2.9-r2 with the patch, and removed affected versions.
1.2.9 (affected) was : x86 sparc hppa ~alpha ppc ~mips 1.2.9-r2 (unaffected) currently is : ~x86 ~sparc hppa ~alpha ~ppc ~mips amd64 x86, sparc, ppc : please test and mark stable accordingly.
Stable on sparc.
Stable on x86
Stable on ppc
Thanks everyone. Ready for a GLSA draft.
GLSA 200405-09
