Debian Bug report logs -
#516388
proftpd: Several SQL injection vulnerabilities
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Sat, 21 Feb 2009 05:24:01 UTC
Severity: grave
Tags: security
Fixed in version proftpd-dfsg/1.3.2-1
Done: "Francesco P. Lovergine" <frankie@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Francesco Paolo Lovergine <frankie@debian.org>
:
Bug#516388
; Package proftpd
.
(Sat, 21 Feb 2009 05:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Francesco Paolo Lovergine <frankie@debian.org>
.
(Sat, 21 Feb 2009 05:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: proftpd
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for proftpd.
CVE-2009-0543[0]:
| ProFTPD Server 1.3.1, with NLS support enabled, allows remote
| attackers to bypass SQL injection protection mechanisms via invalid,
| encoded multibyte characters, which are not properly handled in (1)
| mod_sql_mysql and (2) mod_sql_postgres.
CVE-2009-0542[1]:
| SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2
| allows remote attackers to execute arbitrary SQL commands via a "%"
| (percent) character in the username, which introduces a "'" (single
| quote) character during variable substitution by mod_sql.
The postgresql part should still be vulnerable as discussed via
previous mail. The second issue seems to be still unaddressed. It needs
to be investigated, whether upstream's fix is complete, since it doesn't
seem to use the usual escaping functions.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0543
http://security-tracker.debian.net/tracker/CVE-2009-0543
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0542
http://security-tracker.debian.net/tracker/CVE-2009-0542
Information forwarded
to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>
:
Bug#516388
; Package proftpd
.
(Tue, 24 Feb 2009 09:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Milen Rangelov <gat3way@gat3way.eu>
:
Extra info received and forwarded to list. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>
.
(Tue, 24 Feb 2009 09:00:02 GMT) (full text, mbox, link).
Message #10 received at 516388@bugs.debian.org (full text, mbox, reply):
Since I am the "culprit" that reported the second bug (CVE-2009-0542), I can
confirm it affects debian's proftpd packages in testing/unstable
repositories. That's because I discovered it on my debian system.
My proftpd version is 1.3.1-16.
According to the ProFTPD team, the bug is fixed in 1.3.2 rc3 (1.3.2 is not
vulnerable, 1.3.2 rc1 and rc2 are vulnerable), so upgrading to 1.3.2 should
fix the issue.
Reply sent
to "Francesco P. Lovergine" <frankie@debian.org>
:
You have taken responsibility.
(Tue, 24 Feb 2009 11:27:10 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Tue, 24 Feb 2009 11:27:10 GMT) (full text, mbox, link).
Message #15 received at 516388-done@bugs.debian.org (full text, mbox, reply):
Package: proftpd-dfsg
Version: 1.3.2-1
Note that 1.3.1-17 also partially fixes CVE-2009-0543. That bug
does not apply to 1.3.0. Next time would be better reporting
separately each issue.
--
Francesco P. Lovergine
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 10 May 2009 07:36:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:43:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.