Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 361963 - <net-ftp/proftpd-1.3.3e: plaintext command injection vulnerability in FTPS
Summary: <net-ftp/proftpd-1.3.3e: plaintext command injection vulnerability in FTPS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2011-04-04 20:39 UTC by Bernard Cafarelli
Modified: 2013-09-24 23:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Cafarelli gentoo-dev 2011-04-04 20:39:09 UTC
As per upstream bug, <proftpd-1.3.3e is vulnerable to CVE-2011-0411.

I have added 1.3.3e to tree, after Bernd's notification, which includes the fix from this bugreport
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-04-04 21:13:49 UTC
(In reply to comment #0)
> I have added 1.3.3e to tree, after Bernd's notification, which includes the fix
> from this bugreport

Great, thank you. I am assuming this is ready to stabilize...

Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 2 Andreas Schürch gentoo-dev 2011-04-05 05:14:18 UTC
Tested on x86, looks good to go here.
Comment 3 Agostino Sarubbo gentoo-dev 2011-04-05 10:34:44 UTC
amd64 ok
Comment 4 Christoph Mende (RETIRED) gentoo-dev 2011-04-05 11:03:38 UTC
amd64 done, thanks Agostino
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-04-05 15:58:57 UTC
x86 stable, thanks Andreas
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-04-07 17:55:57 UTC
Stable for HPPA.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-04-09 14:02:53 UTC
alpha/sparc stable
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-04-11 17:40:52 UTC
ppc/ppc64 stable, last arch done
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-04-11 18:41:07 UTC
Thanks, folks.

GLSA Vote: no.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-04-13 04:18:50 UTC
Changing CVE to proftpd-specific allocation per
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:05:06 UTC
CVE-2011-1575 (
  The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does
  not properly restrict I/O buffering, which allows man-in-the-middle
  attackers to insert commands into encrypted FTP sessions by sending a
  cleartext command that is processed after TLS is in place, related to a
  "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:53:41 UTC
Vote: YES. Added to pending GLSA request.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-10-23 04:14:18 UTC
CVE-2011-1575 was for Pure-ftpd, not proftpd. I do not believe a CVE was assigned for proftpd.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-09-24 23:39:27 UTC
This issue was resolved and addressed in
 GLSA 201309-15 at
by GLSA coordinator Sean Amoss (ackle).