Hello, on 17/Dec/2010 ProFTPD 1.3.3d [1,2] with a some bugfixes and ProFTPD 1.3.4rc1 [3,4] with new features have been released. For ProFTPD 1.3.3d a simple version bump of the ProFTPD 1.3.3c ebuild should work without problems. And for ProFTPD 1.3.4rc1 I will attach a patch against proftpd-1.3.3c with the following improvements: * Bump mod_vroot to 0.9. * Move mod_deflate from an external module to a contrib module. * Add support for the new modules mod_copy, mod_ifversion and mod_qos. * Remove blocking check for a running ProFTPD pre 1.3.3. When ProFTPD 1.3.4 will get stable ProFTPD 1.3.3d will be stable for over a half year and then everybody should migrated the pid file to it's new location. * Add support for finding the MySQL and PostgreSQL headers and libraries automatically. Works fine for me. Although upstream did not mark the ProFTPD 1.3.3d release to fix important security bugs I think it does: ProFTPD 1.3.3d and 1.3.4rc1 are fixing ProFTPD Bug #3536 [5] and as far as I remember this bug might be the problem that was used to break into ftp.proftpd.org a few weeks ago. Nevertheless I think we should quickly add ProFTPD 1.3.3d to the portage tree and start a stabilization request for it. Best regards. Bernd Lommerzheim [1] http://www.proftpd.org/docs/RELEASE_NOTES-1.3.3d [2] http://www.proftpd.org/docs/NEWS-1.3.3d [3] http://www.proftpd.org/docs/RELEASE_NOTES-1.3.4rc1 [4] http://www.proftpd.org/docs/NEWS-1.3.4rc1 [5] http://bugs.proftpd.org/show_bug.cgi?id=3536
Created attachment 257480 [details, diff] proftpd-1.3.4_rc1.ebuild patch (against proftpd-1.3.3d.ebuild)
I'm pretty sure this is security relevant, from release-notes: + Fixed sql_prepare_where() buffer overflow (Bug#3536)
@net-ftp, is mod_sql enabled by default (or only with USE='mysql')?
(In reply to comment #3) > @net-ftp, is mod_sql enabled by default (or only with USE='mysql')? No, the module "mod_sql" gets only built into ProFTPD when using USE="mysql" or USE="postgres".
Sorry for the delay here. No CVE on this but reading the bugreport and: http://www.securityfocus.com/bid/44933 http://phrack.org/issues.html?issue=67&id=7#article it's indeed better to stable 1.3.3d, I have added it to the tree, stable target keywords are: alpha amd64 hppa ppc ppc64 sparc x86
(In reply to comment #5) > Sorry for the delay here. > No problem; thank you for the new ebuild. Arches, please test and mark stable: =net-ftp/proftpd-1.3.3d Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
ppc/ppc64 stable
amd64 works!
amd64 done. Thanks Agostino
x86 stable
Stable for HPPA.
Stable on alpha.
sparc stable
xiexie folks. Added to existing GLSA request.
CVE-2010-4652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4652): Heap-based buffer overflow in the sql_prepare_where function (contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted username containing substitution tags, which are not properly handled during construction of an SQL query.
This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle).