Summary: | net-ftp/proftpd: Two Format String Vulnerabilities (CAN-2005-2390) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jimi A. <folajimi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | humpback, uberlord |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/16181/ | ||
Whiteboard: | B1 [glsa] DerCorny | ||
Package list: | Runtime testing required: | --- |
Description
Jimi A.
2005-07-26 07:42:29 UTC
humpback, please provide an fixed ebuild, thanks. This is CAN-2005-2390 uberlord will do the ebuild, adding him to CC. For those who are interested, patches can be found here: http://bugs.proftpd.org/show_bug.cgi?id=2645 http://bugs.proftpd.org/show_bug.cgi?id=2646 I've comitted proftpd-1.2.10-r7 with the two fixes backported. This ebuild depends on net-ftp/ftpbase-0.00 which has only been marked stable on x86 and amd64 - it should be ok to mark stable for your arch as it's just installs the ftp user, home directory for ftp user and a ftp pam.d file. If you mark proftpd-1.2.10-r7 stable for your ARCH, you'll need to mark ftpbase-0.00 stable too. Arches, please test and mark stable proftpd-1.2.10-r7 and ftpbase-0.00 marked ftpbase/proftpd ppc stable stable on ppc64 Stable on amd64 and x84 Erm - I mean stable on x86 :) (In reply to comment #4) > I've comitted proftpd-1.2.10-r7 with the two fixes backported. Well, you claim that proftpd-1.2.10-r7 is not vulnerable, while http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2390 claims that below 1.3.0rc2 it is vulnerable. How is it ordered? Adir. I've applied the patches which address the vulnerabilities to the 1.2.10-r7 ebuild from their bugzilla posts http://bugs.proftpd.org/show_bug.cgi?id=2645 http://bugs.proftpd.org/show_bug.cgi?id=2646 You can see this in the 1.2.10-r7 ebuild as it applies these patches that mirror the above proftpd-ftpshut.patch proftpd-sqlshowinfo.patch Stable on hppa Stable on alpha sparc stable. There are no stable keywords for mips. ready for glsa GLSA 200508-02 Can you please modify the code listing in the GLSA "Resolution" section? It's broken for folks using anything earlier than proftpd-1.2.10-r6, because that version introduced a dependency on ftpbase, which blocks anything earlier. I suggest: emerge --sync emerge unmerge "<net-ftp/proftpd-1.2.10-r6" emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.2.10-r7" Or something. :-) |