Hello, on 29/Oct/2010 ProFTPD 1.3.3c [1,2] with two important security fixes [3,4] and some bugfixes has been released. I think a copy of the proftpd-1.3.3b ebuild should work for ProFTPD 1.3.3c without problems. Furthermore I will attach a patch for the proftpd.initd file (against proftpd.initd) to fix the following issues: * Fix wrong whitespaces introduced in the last commit. * Another fix for Gentoo Bug #314055. I think we should really quickly add ProFTPD 1.3.3c to the portage tree and as this release fixes two important security bugs start a stabilization request for it. Best regards. Bernd Lommerzheim [1] http://proftpd.org/docs/RELEASE_NOTES-1.3.3c [2] http://proftpd.org/docs/NEWS-1.3.3c [3] http://bugs.proftpd.org/show_bug.cgi?id=3521 [4] http://bugs.proftpd.org/show_bug.cgi?id=3519
Created attachment 252583 [details, diff] proftpd initd patch (against proftpd.initd)
Thanks a lot for the report! For init script, Bernd, can you upload the diff in unified format (-u option) to bug #314055 ? We'll fix that there @security, I've added 1.3.3c in tree, with the same ebuild as current stable 1.3.3a. We have a stack overflow, and write access outside the writable directory in some cases Target keywords: alpha, amd64, hppa, ppc, ppc64, sparc, x86
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ProFTPD. Authentication is not required to exploit this vulnerability. Arches, please test and mark stable: =net-ftp/proftpd-1.3.3c Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
x86 stable
amd64 done
ppc64 done
Stable for HPPA.
Stable for PPC.
alpha/sparc stable
All arches done, all versions except new stable 1.3.3c removed from tree (first vulnerability has been present since proftpd-1.2.0pre10)
Thanks, folks. GLSA request filed.
This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle).