First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 49496
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Florian Schilhabel (RETIRED) <ruth@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 49496 depends on: Show dependency tree
Bug 49496 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-04-30 07:12 0000 
the following is a copy from abugtraq posting:

Package:             proftpd
Vulnerability:       privilege escalation
OpenPKG Specific:    no

Affected Packages:     
<= proftpd-1.2.9-20040207
<= proftpd-1.2.9-2.0.0

Description:
  A portability workaround was applied in version 1.2.9 of the FTP
  server ProFTPD [1]. As a side-effect, CIDR based (aaa.bbb.ccc.ddd/NN)
  ACL entries in "Allow" and "Deny" directives act like an "AllowAll"
  directive and so FTP clients are granted access to files and
  directories although the server configuration might explicitly deny
  this [2].

i think it would be wise to apply the patch from
http://bugs.proftpd.org/show_bug.cgi?id=2267
, do a backport from version 1.2.10rc1 to current stable version
or mark version 1.2.10rc1 as stable...
so long
rootshell


Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From Brandon Hale (RETIRED) 2004-04-30 09:57:45 0000 ------- 
Stewart, would you mind checking this one out? Apply the patch or bump to
.10_rc1, your call.. otherwise security@ will do a bump.

------- Comment #2 From Brandon Hale (RETIRED) 2004-05-04 09:28:45 0000 ------- 
I bumped to 1.2.9-r2 with the patch, and removed affected versions.

------- Comment #3 From Thierry Carrez (RETIRED) 2004-05-05 03:02:07 0000 ------- 
1.2.9 (affected) was : x86 sparc hppa ~alpha ppc ~mips
1.2.9-r2 (unaffected) currently is : ~x86 ~sparc hppa ~alpha ~ppc ~mips amd64

x86, sparc, ppc : please test and mark stable accordingly.

------- Comment #4 From Jason Wever (RETIRED) 2004-05-05 19:24:59 0000 ------- 
Stable on sparc.

------- Comment #5 From Jon Portnoy (RETIRED) 2004-05-05 19:37:44 0000 ------- 
Stable on x86

------- Comment #6 From David Holm (RETIRED) 2004-05-06 04:52:39 0000 ------- 
Stable on ppc

------- Comment #7 From Thierry Carrez (RETIRED) 2004-05-06 05:01:25 0000 ------- 
Thanks everyone. Ready for a GLSA draft.

------- Comment #8 From Thierry Carrez (RETIRED) 2004-05-19 08:37:59 0000 ------- 
GLSA 200405-09
First Last Prev Next    No search results available      Search page      Enter new bug