Comment 1 Robert Buchholz (RETIRED) 2009-02-11 16:25:37 UTC

1.3.2 fixes an encoding-dependent SQL injection vulnerability:
http://bugs.proftpd.org/show_bug.cgi?id=3173

However, a more severe issue has been discovered and we should bump to a release with both issues fixed:
http://bugs.proftpd.org/show_bug.cgi?id=3180

The second issue has already been fixed in 1.3.2rc3.
With working exploits on milw0rm&co, please update asap.

Comment 3 Robert Buchholz (RETIRED) 2009-02-12 20:31:10 UTC

CVE-2009-0542 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0542):
  SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2
  allows remote attackers to execute arbitrary SQL commands via a "%"
  (percent) character in the username, which introduces a "'" (single
  quote) character during variable substitution by mod_sql.

CVE-2009-0543 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0543):
  ProFTPD Server 1.3.1, with NLS support enabled, allows remote
  attackers to bypass SQL injection protection mechanisms via invalid,
  encoded multibyte characters, which are not properly handled in (1)
  mod_sql_mysql and (2) mod_sql_postgres.

Comment 4 Robert Buchholz (RETIRED) 2009-02-14 04:42:16 UTC

Maintainers, take note of the ebuilds posted in the blocking bug.

Comment 5 Bernard Cafarelli 2009-02-17 13:16:56 UTC

OK, let's try to get this package back on tracks...

I've just added =net-ftp/proftpd-1.3.2 to the tree, with minimal modification to the previous ebuild, candidate for security stabling

1.3.2-r1 will include the other fixes kindly provided by Bernd Lommerzheim and other people in currently open bugs

Comment 6 Robert Buchholz (RETIRED) 2009-02-17 19:46:24 UTC

Arches, please test and mark stable:
=net-ftp/proftpd-1.3.2
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

Comment 7 Brent Baude (RETIRED) 2009-02-18 18:24:49 UTC

ppc64 done

Comment 8 Brent Baude (RETIRED) 2009-02-18 18:25:38 UTC

i went after -r1; hope that is OK

Comment 9 Tobias Klausmann (RETIRED) 2009-02-18 18:45:57 UTC

With ranger's comment and the whole slew of comments on the blocker bug - what do you want use to make stable? -r0+deps or -r1+deps?

Comment 10 Bernard Cafarelli 2009-02-18 23:49:14 UTC

-r0 is a minimal version bump that only targets the security issue, while -r1 has a few other bugfixes included.

So for this specific security stabling, it's safer to stable -r0, but -r1 is fine if you find so

Comment 11 Jeroen Roovers (RETIRED) 2009-02-20 12:27:07 UTC

Stable for HPPA.

Comment 12 Tobias Klausmann (RETIRED) 2009-02-20 17:15:05 UTC

Stable on alpha.

Comment 13 Raúl Porcel (RETIRED) 2009-02-20 18:21:34 UTC

sparc/x86 stable

Comment 14 Tobias Scherbaum (RETIRED) 2009-02-25 16:20:37 UTC

ppc stable

Comment 15 Markus Meier 2009-02-25 20:45:19 UTC

amd64 stable, all arches done.

Comment 16 Tobias Heinlein (RETIRED) 2009-03-05 20:15:20 UTC

Ready for vote, I vote YES.

Comment 17 Stefan Behte (RETIRED) 2009-03-07 18:36:51 UTC

YES, too. Request filed.

Comment 18 Pierre-Yves Rofes (RETIRED) 2009-03-12 22:32:56 UTC

GLSA 200903-27