on 17/Dec/2010 ProFTPD 1.3.3d [1,2] with a some bugfixes and ProFTPD 1.3.4rc1 [3,4] with new features have been released. For ProFTPD 1.3.3d a simple version bump of the ProFTPD 1.3.3c ebuild should work without problems.
And for ProFTPD 1.3.4rc1 I will attach a patch against proftpd-1.3.3c with the following improvements:
* Bump mod_vroot to 0.9.
* Move mod_deflate from an external module to a contrib module.
* Add support for the new modules mod_copy, mod_ifversion and mod_qos.
* Remove blocking check for a running ProFTPD pre 1.3.3. When ProFTPD 1.3.4 will get stable ProFTPD 1.3.3d will be stable for over a half year and then everybody should migrated the pid file to it's new location.
* Add support for finding the MySQL and PostgreSQL headers and libraries automatically. Works fine for me.
Although upstream did not mark the ProFTPD 1.3.3d release to fix important security bugs I think it does: ProFTPD 1.3.3d and 1.3.4rc1 are fixing ProFTPD Bug #3536  and as far as I remember this bug might be the problem that was used to break into ftp.proftpd.org a few weeks ago. Nevertheless I think we should quickly add ProFTPD 1.3.3d to the portage tree and start a stabilization request for it.
Created attachment 257480 [details, diff]
proftpd-1.3.4_rc1.ebuild patch (against proftpd-1.3.3d.ebuild)
I'm pretty sure this is security relevant, from release-notes:
+ Fixed sql_prepare_where() buffer overflow (Bug#3536)
@net-ftp, is mod_sql enabled by default (or only with USE='mysql')?
(In reply to comment #3)
> @net-ftp, is mod_sql enabled by default (or only with USE='mysql')?
No, the module "mod_sql" gets only built into ProFTPD when using USE="mysql" or USE="postgres".
Sorry for the delay here.
No CVE on this but reading the bugreport and:
it's indeed better to stable 1.3.3d, I have added it to the tree, stable target keywords are:
alpha amd64 hppa ppc ppc64 sparc x86
(In reply to comment #5)
> Sorry for the delay here.
No problem; thank you for the new ebuild.
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
amd64 done. Thanks Agostino
Stable for HPPA.
Stable on alpha.
xiexie folks. Added to existing GLSA request.
Heap-based buffer overflow in the sql_prepare_where function
(contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled,
allows remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via a crafted username containing substitution tags,
which are not properly handled during construction of an SQL query.
This issue was resolved and addressed in
GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml
by GLSA coordinator Sean Amoss (ackle).