Summary: | <net-ftp/proftpd-1.3.3g Response Pool Use-After-Free Vulnerability (CVE-2011-4130) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | bernd, net-ftp, proxy-maint, voyageur |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/46811/ | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2011-11-10 11:03:03 UTC
According to http://www.gentoo.org/security/en/vulnerability-policy.xml, B1 is correct. @Maintainers: please provide an updated ebuild soonish. (In reply to comment #1) > According to http://www.gentoo.org/security/en/vulnerability-policy.xml, B1 is > correct. Sorry for the misunderstanding. 1.3.3g and 1.3.4 are in tree now, and vulnerable 1.3.4_rc3 removed. 1.3.3g is the target version for stabling, target keywords "alpha amd64 hppa ppc ppc64 sparc x86" well, thank you. Arches, please test and mark stable: =net-ftp/proftpd-1.3.3g Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86" Stable for HPPA. amd64 ok x86 stable. amd64: pass + 16 Nov 2011; Tony Vroon <chainsaw@gentoo.org> proftpd-1.3.3g.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & + Elijah "Armageddon" El Lazkani in security bug #390075. alpha/sparc stable CVE-2011-4130 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4130): Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer. ppc/ppc64 done thanks everyone, add to existing glsa request. This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle). |