Please update the ebuild to the last stable release. It solves many issues along with some security vulnerabilities.
1.3.2 fixes an encoding-dependent SQL injection vulnerability:
However, a more severe issue has been discovered and we should bump to a release with both issues fixed:
The second issue has already been fixed in 1.3.2rc3.
With working exploits on milw0rm&co, please update asap.
SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2
allows remote attackers to execute arbitrary SQL commands via a "%"
(percent) character in the username, which introduces a "'" (single
quote) character during variable substitution by mod_sql.
ProFTPD Server 1.3.1, with NLS support enabled, allows remote
attackers to bypass SQL injection protection mechanisms via invalid,
encoded multibyte characters, which are not properly handled in (1)
mod_sql_mysql and (2) mod_sql_postgres.
Maintainers, take note of the ebuilds posted in the blocking bug.
OK, let's try to get this package back on tracks...
I've just added =net-ftp/proftpd-1.3.2 to the tree, with minimal modification to the previous ebuild, candidate for security stabling
1.3.2-r1 will include the other fixes kindly provided by Bernd Lommerzheim and other people in currently open bugs
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
i went after -r1; hope that is OK
With ranger's comment and the whole slew of comments on the blocker bug - what do you want use to make stable? -r0+deps or -r1+deps?
-r0 is a minimal version bump that only targets the security issue, while -r1 has a few other bugfixes included.
So for this specific security stabling, it's safer to stable -r0, but -r1 is fine if you find so
Stable for HPPA.
Stable on alpha.
amd64 stable, all arches done.
Ready for vote, I vote YES.
YES, too. Request filed.