Debian Bug report logs -
#616179
proftpd: mod_sftp integer overflow / CVE-2011-1137
Reported by: henri@nerv.fi
Date: Wed, 2 Mar 2011 23:21:10 UTC
Severity: grave
Tags: security
Found in version proftpd-dfsg/1.3.3a-6
Fixed in version proftpd-dfsg/1.3.3d-4
Done: Francesco Paolo Lovergine <frankie@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#616179; Package proftpd-basic.
(Wed, 02 Mar 2011 23:21:13 GMT) (full text, mbox, link).
Acknowledgement sent
to henri@nerv.fi:
New Bug report received and forwarded. Copy sent to ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>.
(Wed, 02 Mar 2011 23:21:13 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: proftpd-basic
Version: 1.3.3a-6
Tags: security
Severity: grave
Package proftpd-basic got assigned by CVE-2011-1137 "mod_sftp integer overflow". Packages might be vulnerable. Security tracker should also be updated. This needs verifying.
References:
http://www.openwall.com/lists/oss-security/2011/03/02/5
http://bugs.proftpd.org/show_bug.cgi?id=3586
http://www.exploit-db.com/exploits/16129/
http://www.castaglia.org/proftpd/modules/mod_sftp.html
Best regards,
Henri Salo
Reply sent
to Francesco Paolo Lovergine <frankie@debian.org>:
You have taken responsibility.
(Fri, 04 Mar 2011 08:51:08 GMT) (full text, mbox, link).
Notification sent
to henri@nerv.fi:
Bug acknowledged by developer.
(Fri, 04 Mar 2011 08:51:08 GMT) (full text, mbox, link).
Message #10 received at 616179-close@bugs.debian.org (full text, mbox, reply):
Source: proftpd-dfsg
Source-Version: 1.3.3d-4
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive:
proftpd-basic_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-basic_1.3.3d-4_amd64.deb
proftpd-dev_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-dev_1.3.3d-4_amd64.deb
proftpd-dfsg_1.3.3d-4.debian.tar.gz
to main/p/proftpd-dfsg/proftpd-dfsg_1.3.3d-4.debian.tar.gz
proftpd-dfsg_1.3.3d-4.dsc
to main/p/proftpd-dfsg/proftpd-dfsg_1.3.3d-4.dsc
proftpd-doc_1.3.3d-4_all.deb
to main/p/proftpd-dfsg/proftpd-doc_1.3.3d-4_all.deb
proftpd-mod-ldap_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.3d-4_amd64.deb
proftpd-mod-mysql_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.3d-4_amd64.deb
proftpd-mod-odbc_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-odbc_1.3.3d-4_amd64.deb
proftpd-mod-pgsql_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.3d-4_amd64.deb
proftpd-mod-sqlite_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-sqlite_1.3.3d-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 616179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <frankie@debian.org> (supplier of updated proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 04 Mar 2011 00:42:18 +0100
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite
Architecture: source amd64 all
Version: 1.3.3d-4
Distribution: unstable
Urgency: high
Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
Changed-By: Francesco Paolo Lovergine <frankie@debian.org>
Description:
proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 613527 616179 616336
Changes:
proftpd-dfsg (1.3.3d-4) unstable; urgency=high
.
* Fixed previous changelog.
* Now proftpd.conf includes /etc/proftpd/conf.d contents to allow custom
configurations being loaded after system ones in separate files.
* Added README.Debian for proftpd-dev to explain how to build add-on
modules.
* [PATCH] silent remove excessive verbosity at startup about conf.d
directory parsing.
* Updated debian/NEWS file with information about new conf.d directory.
* Now configuration file name can be overriden at run-time.
(closes: #613527)
* Now uses Breaks instead of Conflicts against pre-squeeze proftpd package.
* [SECURITY,PATCH] CVE-2011-1137: mod_sftp behaves badly when receiving
badly formed SSH messages.
(closes: #616179)
* Updated Czech debconf template.
(closes: #616336)
Checksums-Sha1:
8fb8dcb385ef3796654a2c87de847fb41b193d25 1625 proftpd-dfsg_1.3.3d-4.dsc
3fff72d49f50402002661fb01ff22352f5b59a4b 102740 proftpd-dfsg_1.3.3d-4.debian.tar.gz
98a281e0b89c09dd6e95400650e7d7f34489e857 2421340 proftpd-basic_1.3.3d-4_amd64.deb
a9cc550e576a37ce9e282411d97643f89c74ebc4 907846 proftpd-dev_1.3.3d-4_amd64.deb
ef3509c5feae7b773c3c68d602ea677ed0e3d9d4 362694 proftpd-mod-mysql_1.3.3d-4_amd64.deb
80f02e9b035a23306b22a04c8cdd295f7fc915ef 362384 proftpd-mod-pgsql_1.3.3d-4_amd64.deb
92d0b891c2f318489d9d0ae889c85090e1f424b4 372296 proftpd-mod-ldap_1.3.3d-4_amd64.deb
c4b06e69ed4df20bbb5b34eb124106579db0d892 364076 proftpd-mod-odbc_1.3.3d-4_amd64.deb
580225678068e3d00acd89fe9e8eca2637de46df 361846 proftpd-mod-sqlite_1.3.3d-4_amd64.deb
ceb545b7ef6921cf8fc53a55fd8267045061650e 1525564 proftpd-doc_1.3.3d-4_all.deb
Checksums-Sha256:
d29356ce31d02414253baaa5548911fd23101a67166c77de1ca3dcbef07c8c99 1625 proftpd-dfsg_1.3.3d-4.dsc
0c6b3b998e1d5099bb88d36a4364c3bf75630a476b38ce02be07fd431f6bc710 102740 proftpd-dfsg_1.3.3d-4.debian.tar.gz
6488b9e776ab60c6f30d1b610511488994b3e19883d12698f25f98b9a4c4e5ff 2421340 proftpd-basic_1.3.3d-4_amd64.deb
af3ded3985c9f984783c0dd0a9d5b13623a09a5e499538d76249691cf43fa32c 907846 proftpd-dev_1.3.3d-4_amd64.deb
5ecc11d828573ebf2d5e4406bdb65485079dcad0e0ab11a51301db20e72597f4 362694 proftpd-mod-mysql_1.3.3d-4_amd64.deb
be10cd2150353cc9dd595dd71a80887d22b2f682454c5ddcf9325623274380af 362384 proftpd-mod-pgsql_1.3.3d-4_amd64.deb
924008de40fb37b19c9d04c88fba469ae1d151fcd24f8d2fff45a0cae8efb118 372296 proftpd-mod-ldap_1.3.3d-4_amd64.deb
76d2f10fb639821c4faac3800effe72fbf2e0867e68bf2e74506512ace9a5bc4 364076 proftpd-mod-odbc_1.3.3d-4_amd64.deb
37d6657feccb959c9b5f4b5675fba53411f92a81025f31853e8ac147c3cc9533 361846 proftpd-mod-sqlite_1.3.3d-4_amd64.deb
d8999c2c2dc2a9f247f802dcff7214f6503dd1135357ec7ac025565f92d17df2 1525564 proftpd-doc_1.3.3d-4_all.deb
Files:
df53fbbcf27424a3099ab1242c4d3836 1625 net optional proftpd-dfsg_1.3.3d-4.dsc
5982783c5f15cc984375deee2406d2c1 102740 net optional proftpd-dfsg_1.3.3d-4.debian.tar.gz
0e11f3540d428b3169971e0d5a3815e0 2421340 net optional proftpd-basic_1.3.3d-4_amd64.deb
7ff5cf11bc616004b32fb5ca9753985d 907846 net optional proftpd-dev_1.3.3d-4_amd64.deb
59a4a37797e9bac1f77894618f3fb240 362694 net optional proftpd-mod-mysql_1.3.3d-4_amd64.deb
0397df8c3050866d7d0b89864443961f 362384 net optional proftpd-mod-pgsql_1.3.3d-4_amd64.deb
e349a23d88509ebc7afa06931be2e800 372296 net optional proftpd-mod-ldap_1.3.3d-4_amd64.deb
fa9b106b309fce043c71f9014994fd42 364076 net optional proftpd-mod-odbc_1.3.3d-4_amd64.deb
1ff062807195868500562259e92f3fae 361846 net optional proftpd-mod-sqlite_1.3.3d-4_amd64.deb
f766f5570c6e27598c6edeb2b914a6b7 1525564 doc optional proftpd-doc_1.3.3d-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk1wot8ACgkQpFNRmenyx0e0LQCg3wxnLZXSQdwTUbXIDJoNWaeH
cZ4AoIgrZUt5npCAL+Od4SoCkc+E0Coo
=zRgY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 05 May 2013 07:58:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:06:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon