Comment 1 Thomas Deutschmann (RETIRED) 2020-02-24 23:59:54 UTC

Upstream patches:

https://github.com/proftpd/proftpd/commit/d388f7904d4c9a6d0ea54237b8b54a57c19d8d49 (master)
https://github.com/proftpd/proftpd/commit/e845abc1bd86eebec7a0342fded908a1b0f1996b (1.3.6.c)

Comment 2 Larry the Git Cow 2020-02-25 08:39:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bfa4622ef7d68e3fb14fc62e84d9ad549338373d

commit bfa4622ef7d68e3fb14fc62e84d9ad549338373d
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-02-25 08:39:33 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-02-25 08:39:51 +0000

    net-ftp/proftpd: bump up to 1.3.6c, bug #710730
    
    Bug: https://bugs.gentoo.org/710730
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 net-ftp/proftpd/Manifest              |   1 +
 net-ftp/proftpd/proftpd-1.3.6c.ebuild | 274 ++++++++++++++++++++++++++++++++++
 2 files changed, 275 insertions(+)

Comment 3 Sam James 2020-03-01 18:49:30 UTC

This also fixes CVE-2020-9272.

Comment 4 GLSAMaker/CVETool Bot 2020-03-15 06:43:21 UTC

CVE-2020-9272 (https://nvd.nist.gov/vuln/detail/CVE-2020-9272):
  ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via
  the cap_text.c cap_to_text function.

Comment 5 GLSAMaker/CVETool Bot 2020-03-15 06:44:03 UTC

CVE-2020-9272 (https://nvd.nist.gov/vuln/detail/CVE-2020-9272):
  ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via
  the cap_text.c cap_to_text function.

Comment 6 Yury German 2020-03-15 06:46:18 UTC

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

proftpd-1.3.6c

Comment 7 Rolf Eike Beer 2020-03-16 17:42:04 UTC

sparc stable

Comment 8 GLSAMaker/CVETool Bot 2020-03-16 21:10:58 UTC

This issue was resolved and addressed in
 GLSA 202003-35 at https://security.gentoo.org/glsa/202003-35
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 9 Thomas Deutschmann (RETIRED) 2020-03-16 21:11:36 UTC

Re-opening for remaining architectures.

Comment 10 Agostino Sarubbo 2020-03-17 18:45:18 UTC

amd64 stable

Comment 11 Agostino Sarubbo 2020-03-18 09:46:37 UTC

arm stable

Comment 12 Agostino Sarubbo 2020-03-18 09:56:13 UTC

ia64 stable

Comment 13 Agostino Sarubbo 2020-03-18 11:12:31 UTC

ppc stable

Comment 14 Agostino Sarubbo 2020-03-18 11:14:17 UTC

ppc64 stable

Comment 15 Agostino Sarubbo 2020-03-18 15:22:49 UTC

x86 stable

Comment 16 Rolf Eike Beer 2020-03-18 18:20:43 UTC

hppa stable

Comment 17 Sam James 2020-03-18 20:04:15 UTC

Thanks arches.

@maintainer(s), ok to cleanup?

Comment 18 Larry the Git Cow 2020-03-18 21:30:58 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=195ad646be2d92d29e5dbd218a7918d633b12b29

commit 195ad646be2d92d29e5dbd218a7918d633b12b29
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-03-18 21:30:45 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-03-18 21:30:52 +0000

    net-ftp/proftpd: drop <net-ftp/proftpd-1.3.6c, bug #710730
    
    Bug: https://bugs.gentoo.org/710730
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 net-ftp/proftpd/Manifest                 |   1 -
 net-ftp/proftpd/proftpd-1.3.6b-r1.ebuild | 275 -------------------------------
 2 files changed, 276 deletions(-)

Comment 19 Yury German 2020-03-20 03:07:35 UTC

Arches and Maintainer(s), Thank you for your work.

Closing since GLSA was released

Comment 20 NATTkA bot 2020-04-06 14:49:17 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 21 NATTkA bot 2020-05-02 17:52:36 UTC

Unable to check for sanity:

> no match for package: net-ftp/proftpd-1.3.6c