As per upstream bug, <proftpd-1.3.3e is vulnerable to CVE-2011-0411. I have added 1.3.3e to tree, after Bernd's notification, which includes the fix from this bugreport
(In reply to comment #0) > I have added 1.3.3e to tree, after Bernd's notification, which includes the fix > from this bugreport Great, thank you. I am assuming this is ready to stabilize... Arches, please test and mark stable: =net-ftp/proftpd-1.3.3e Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Tested on x86, looks good to go here.
amd64 ok
amd64 done, thanks Agostino
x86 stable, thanks Andreas
Stable for HPPA.
alpha/sparc stable
ppc/ppc64 stable, last arch done
Thanks, folks. GLSA Vote: no.
Changing CVE to proftpd-specific allocation per http://www.openwall.com/lists/oss-security/2011/04/11/14.
CVE-2011-1575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1575): The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Vote: YES. Added to pending GLSA request.
CVE-2011-1575 was for Pure-ftpd, not proftpd. I do not believe a CVE was assigned for proftpd.
This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle).