the following is a copy from abugtraq posting:
Vulnerability: privilege escalation
OpenPKG Specific: no
A portability workaround was applied in version 1.2.9 of the FTP
server ProFTPD . As a side-effect, CIDR based (aaa.bbb.ccc.ddd/NN)
ACL entries in "Allow" and "Deny" directives act like an "AllowAll"
directive and so FTP clients are granted access to files and
directories although the server configuration might explicitly deny
i think it would be wise to apply the patch from
, do a backport from version 1.2.10rc1 to current stable version
or mark version 1.2.10rc1 as stable...
Steps to Reproduce:
Stewart, would you mind checking this one out? Apply the patch or bump to .10_rc1, your call.. otherwise security@ will do a bump.
I bumped to 1.2.9-r2 with the patch, and removed affected versions.
1.2.9 (affected) was : x86 sparc hppa ~alpha ppc ~mips
1.2.9-r2 (unaffected) currently is : ~x86 ~sparc hppa ~alpha ~ppc ~mips amd64
x86, sparc, ppc : please test and mark stable accordingly.
Stable on sparc.
Stable on x86
Stable on ppc
Thanks everyone. Ready for a GLSA draft.