From ${URL} : An FTP command injection flaw was found [1] in Erlang's FTP module. Several functions in the FTP module do not properly sanitize the input before passing it into a control socket. A local attacker can use this flaw to execute arbitrary FTP commands on a system that uses this module. This issue has been reported upstream [2], but has not yet been fixed. [1] http://seclists.org/oss-sec/2014/q1/163 [2] http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
We can stabilize erlang-17.3 for this, which has the fix.
amd64 stable
x86 stable
ppc stable
ppc64 stable
sparc stable
Stable on alpha.
Security team, ping? I think this can be closed, we've long since stabilized 17.5.
Looking at the CVE and mailing lists I cannot confirm the versioning. Hopefully you can provide expertise on the R15B03 reference to which this was tested? Basically, is 15.2.3.1 vulnerable?
I'm all for removing it. Amadeusz, how are we doing on ejabberd stuff?
That is, I agree that 15.2.3.1 is probably vulnerable, although I can't find any definitive information on it, either.
(In reply to Dirkjan Ochtman from comment #10) > I'm all for removing it. Amadeusz, how are we doing on ejabberd stuff? I'm about to request stabilization for amd64, arm, ppc, x86, but I've just got keywords for ~ia64 and soon I may have it for ~sparc which means we will have to wait a bit for stabilization, unless... there's a way around this.
Removed the final vulnerable version from the tree.
@ Security: Please vote.
GLSA Vote: No
