As per upstream bug, <proftpd-1.3.3e is vulnerable to CVE-2011-0411.
I have added 1.3.3e to tree, after Bernd's notification, which includes the fix from this bugreport
(In reply to comment #0)
> I have added 1.3.3e to tree, after Bernd's notification, which includes the fix
> from this bugreport
Great, thank you. I am assuming this is ready to stabilize...
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Tested on x86, looks good to go here.
amd64 done, thanks Agostino
x86 stable, thanks Andreas
Stable for HPPA.
ppc/ppc64 stable, last arch done
GLSA Vote: no.
Changing CVE to proftpd-specific allocation per http://www.openwall.com/lists/oss-security/2011/04/11/14.
The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does
not properly restrict I/O buffering, which allows man-in-the-middle
attackers to insert commands into encrypted FTP sessions by sending a
cleartext command that is processed after TLS is in place, related to a
"plaintext command injection" attack, a similar issue to CVE-2011-0411.
Vote: YES. Added to pending GLSA request.
CVE-2011-1575 was for Pure-ftpd, not proftpd. I do not believe a CVE was assigned for proftpd.
This issue was resolved and addressed in
GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml
by GLSA coordinator Sean Amoss (ackle).