on 29/Oct/2010 ProFTPD 1.3.3c [1,2] with two important security fixes [3,4] and some bugfixes has been released. I think a copy of the proftpd-1.3.3b ebuild should work for ProFTPD 1.3.3c without problems.
Furthermore I will attach a patch for the proftpd.initd file (against proftpd.initd) to fix the following issues:
* Fix wrong whitespaces introduced in the last commit.
* Another fix for Gentoo Bug #314055.
I think we should really quickly add ProFTPD 1.3.3c to the portage tree and as this release fixes two important security bugs start a stabilization request for it.
Created attachment 252583 [details, diff]
proftpd initd patch (against proftpd.initd)
Thanks a lot for the report!
For init script, Bernd, can you upload the diff in unified format (-u option) to bug #314055 ? We'll fix that there
@security, I've added 1.3.3c in tree, with the same ebuild as current stable 1.3.3a. We have a stack overflow, and write access outside the writable directory in some cases
Target keywords: alpha, amd64, hppa, ppc, ppc64, sparc, x86
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of ProFTPD. Authentication is not required to
exploit this vulnerability.
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Stable for HPPA.
Stable for PPC.
All arches done, all versions except new stable 1.3.3c removed from tree (first vulnerability has been present since proftpd-1.2.0pre10)
GLSA request filed.
This issue was resolved and addressed in
GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml
by GLSA coordinator Sean Amoss (ackle).