Summary: | <net-ftp/proftpd-1.3.3e: plaintext command injection vulnerability in FTPS | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Bernard Cafarelli <voyageur> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bernd, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.proftpd.org/show_bug.cgi?id=3624 | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Bernard Cafarelli
2011-04-04 20:39:09 UTC
(In reply to comment #0) > I have added 1.3.3e to tree, after Bernd's notification, which includes the fix > from this bugreport Great, thank you. I am assuming this is ready to stabilize... Arches, please test and mark stable: =net-ftp/proftpd-1.3.3e Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86" Tested on x86, looks good to go here. amd64 ok amd64 done, thanks Agostino x86 stable, thanks Andreas Stable for HPPA. alpha/sparc stable ppc/ppc64 stable, last arch done Thanks, folks. GLSA Vote: no. Changing CVE to proftpd-specific allocation per http://www.openwall.com/lists/oss-security/2011/04/11/14. CVE-2011-1575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1575): The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. Vote: YES. Added to pending GLSA request. CVE-2011-1575 was for Pure-ftpd, not proftpd. I do not believe a CVE was assigned for proftpd. This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle). |