Debian Bug report logs -
#782781
proftpd-dfsg: CVE-2015-3306: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 17 Apr 2015 19:27:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions proftpd-dfsg/1.3.4a-1, proftpd-dfsg/1.3.5-1
Fixed in versions proftpd-dfsg/1.3.5-2, proftpd-dfsg/1.3.5-1.1+deb8u1, proftpd-dfsg/1.3.4a-5+deb7u3
Done: Sebastien Delafond <seb@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#782781; Package src:proftpd-dfsg.
(Fri, 17 Apr 2015 19:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>.
(Fri, 17 Apr 2015 19:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: proftpd-dfsg
Version: 1.3.5-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for proftpd-dfsg.
CVE-2015-3306[0]:
unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3306
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions proftpd-dfsg/1.3.4a-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 20 Apr 2015 17:15:13 GMT) (full text, mbox, link).
Reply sent
to Francesco Paolo Lovergine <frankie@debian.org>:
You have taken responsibility.
(Thu, 23 Apr 2015 13:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 23 Apr 2015 13:21:05 GMT) (full text, mbox, link).
Message #12 received at 782781-close@bugs.debian.org (full text, mbox, reply):
Source: proftpd-dfsg
Source-Version: 1.3.5-2
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 782781@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <frankie@debian.org> (supplier of updated proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 23 Apr 2015 14:11:19 +0200
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite proftpd-mod-geoip
Architecture: source i386 all
Version: 1.3.5-2
Distribution: unstable
Urgency: high
Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
Changed-By: Francesco Paolo Lovergine <frankie@debian.org>
Description:
proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
proftpd-mod-geoip - Versatile, virtual-hosting FTP daemon - GeoIP module
proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 761795 782781
Changes:
proftpd-dfsg (1.3.5-2) unstable; urgency=high
.
* proftpd-dev: Depend on libtool-bin: merged NMU, thanks Doko.
(closes: #761795)
* Add CVE-2015-3306 patch.
Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy.
(closes: #782781)
Checksums-Sha1:
c8c40eae15a33cb9d477b9e87e1e81a8099d5247 2734 proftpd-dfsg_1.3.5-2.dsc
0f639abb8753a8c1d9511bce581b101768afc94f 85268 proftpd-dfsg_1.3.5-2.debian.tar.xz
af582bd510faf7611e7bc02df7f602f9010934ed 2503686 proftpd-basic_1.3.5-2_i386.deb
c10528ef51240be5e489077e8368104c24373319 986488 proftpd-dev_1.3.5-2_i386.deb
36a96b119447550c473bec9e8f17277ba2fb7437 476826 proftpd-mod-mysql_1.3.5-2_i386.deb
78bf9da6008025916f100e673f4259c5ccbbc7f1 476416 proftpd-mod-pgsql_1.3.5-2_i386.deb
616c66f040c0b28951a3cf67c0e8a3f65d535b7f 484388 proftpd-mod-ldap_1.3.5-2_i386.deb
0fc7be9b5c896a5ca96d2da414f022b6169b3409 477558 proftpd-mod-odbc_1.3.5-2_i386.deb
125a00a95296bf863c82c6baaa38501a7a58946e 475770 proftpd-mod-sqlite_1.3.5-2_i386.deb
284960c0904e836d8b25c79590ee810fb444632f 477126 proftpd-mod-geoip_1.3.5-2_i386.deb
fd130e228f6f48d15f5d327ec4b6c260378313f6 948472 proftpd-doc_1.3.5-2_all.deb
Checksums-Sha256:
99d6a0c9e3691cd3dcd09946e65983daf05dc3a8e427f4ee2fc636438ff911d1 2734 proftpd-dfsg_1.3.5-2.dsc
0acd9b9000c0a79ce9af786e44c7a7c6efd3298f1e44bb26557d1938725611e6 85268 proftpd-dfsg_1.3.5-2.debian.tar.xz
ace6075eb5d0c1335662570a5e17410adb4e295c5fbe3c8babd063ac6e5c5a1c 2503686 proftpd-basic_1.3.5-2_i386.deb
be08f4e8b278930fcd15e4e7060c2e0c68e00811a1ff5ae5fcdfdc5c6733b438 986488 proftpd-dev_1.3.5-2_i386.deb
815cbfe6f4b67a1f415a2cf9ec40e2bcade1948d4f32a8070c43552499812b79 476826 proftpd-mod-mysql_1.3.5-2_i386.deb
5d3208bb3976f3a65b86bec4a14e4c1b1ed6467d0ea10d05321516dee284f01a 476416 proftpd-mod-pgsql_1.3.5-2_i386.deb
74596d8300d3f4d92f8fcfbf08e20fc714647fc4759e737cb319c30febbc17b8 484388 proftpd-mod-ldap_1.3.5-2_i386.deb
763a48e441a6af59851dd9282e01e09553656158ee9e21a110f8b60002158dfe 477558 proftpd-mod-odbc_1.3.5-2_i386.deb
97942e47a957848f8eeaddd9ff7c4fe7b710fb93969482ece74a7a371df869d2 475770 proftpd-mod-sqlite_1.3.5-2_i386.deb
5e2d27658a6c89674f727aea4c450329c018c75d0ab0d47875596b1439b88f27 477126 proftpd-mod-geoip_1.3.5-2_i386.deb
f194d5a8b9dc0086dfd08fdbad4e838ca6d64946886baad497c293f0cee62726 948472 proftpd-doc_1.3.5-2_all.deb
Files:
7c8e05e29bc3a4c84d54e6e7e5e1b62c 2734 net optional proftpd-dfsg_1.3.5-2.dsc
78ec6c8466bc78e092f81d40dfc76ac5 85268 net optional proftpd-dfsg_1.3.5-2.debian.tar.xz
ace89d2ca9c4652e3442400c5159fb06 2503686 net optional proftpd-basic_1.3.5-2_i386.deb
96768b4291301757a6083a57a3535c4a 986488 net optional proftpd-dev_1.3.5-2_i386.deb
16a809fdd714e1845079c1fe10a384c1 476826 net optional proftpd-mod-mysql_1.3.5-2_i386.deb
41a9ad4d5660ebd539a2c702c81f47d7 476416 net optional proftpd-mod-pgsql_1.3.5-2_i386.deb
56bd7347dc33269e0b31442399faa932 484388 net optional proftpd-mod-ldap_1.3.5-2_i386.deb
adf5c1ff23027d900e244cfd6b6864f0 477558 net optional proftpd-mod-odbc_1.3.5-2_i386.deb
9dfba43d6580e12495dc0afdff034040 475770 net optional proftpd-mod-sqlite_1.3.5-2_i386.deb
7ce065d34c0e179e04219f8ffc01572c 477126 net optional proftpd-mod-geoip_1.3.5-2_i386.deb
88693f5a556b4e6052bdb4218d2a2758 948472 doc optional proftpd-doc_1.3.5-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVOO8gAAoJEA8CpeEWNoakplgQAJq3IGDaH0f+FjlVXNxh00TM
zc1RhVJpRnlSAb25ZvKGIgV6gPlaaFQ5XpvIkQna0EcLIzX3rJPNlnweqC5zj85a
VX5+BQc8d2gYwB+R8WP7NBJoa7mzv0S3UFTnNi/mB56kkctOvy5x86rf6nF5nuN4
zPPN/MXdiezB5LkYgw4r3X+0ajNjGzOUQcBCZ2Y+IBCA6yB5SKY0O5109miLilBU
KEnGNYB+fjQW3hXa4uexrH/yv+vhnJ7Xi8f0zhaqnbYlgJcKLRXwnjBWbmCIjAyf
WjVqYDiDWkt6ZBdic/PeBo2zYrNIFpXLyke6d6HeuZEaGBbpEOHJ6R9ec4vLV+lz
/bs/gbGTSqnXC7xkRKW/w/27UCoPwqW1iWlomjsJ76dCytBytEHDyU36ekCEkKYJ
AL8VnC+4Qb1A5mWETjOThJ81b1T62gKYwGAqIT6EQ3WXZy+DVDFFe33pGhy86ae+
PctU09nYjufz0S6gydqIB+D7ScdBscqyUX49Sg1KpYwp2dAhGzyIKoeWdyOYL+Rq
KYJUZFQOE9vyDfKl6nR/OyojNVnguOYA61pPwuX+5kk3uqOB7GT5FjRtG//dqWR2
JEgToaSBBZ2NkOxMNU7+/A6ktDhhhiVP8JmqdrRFzH43DW3T8R5ZeoZW3OsGzYSM
NfTnoH+L+u+a69rbNuhN
=JU82
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#782781; Package src:proftpd-dfsg.
(Tue, 19 May 2015 06:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Mario Lipinski <mario.lipinski@iserv.eu>:
Extra info received and forwarded to list. Copy sent to ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>.
(Tue, 19 May 2015 06:57:04 GMT) (full text, mbox, link).
Message #17 received at 782781@bugs.debian.org (full text, mbox, reply):
Dear proftpd maintainers,
following a recent press release [1], exploits [2] for this bug [3]
exist and the bug seems to be unfixed in the currently supported
oldstable and stable releases [4]. What about considering a security
release or updating the security-tracker information?
[1]
http://www.heise.de/newsticker/meldung/Angreifer-nutzen-kritische-Luecke-in-ProFTPD-aus-2652114.html
(German)
[2] https://github.com/nootropics/propane
[3] http://bugs.proftpd.org/show_bug.cgi?id=4169
[4] https://security-tracker.debian.org/tracker/CVE-2015-3306
--
Mit freundlichen Grüßen,
Mario Lipinski
IServ GmbH
Bültenweg 73
38106 Braunschweig
Telefon: 0531-2243666-0
Fax: 0531-2243666-9
E-Mail: info@iserv.eu
Internet: iserv.eu
USt-IdNr. DE265149425 | Amtsgericht Braunschweig | HRB 201822
Geschäftsführer: Benjamin Heindl, Jörg Ludwig
Information forwarded
to debian-bugs-dist@lists.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#782781; Package src:proftpd-dfsg.
(Tue, 19 May 2015 15:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>.
(Tue, 19 May 2015 15:54:04 GMT) (full text, mbox, link).
Message #22 received at 782781@bugs.debian.org (full text, mbox, reply):
Hi Mario,
On Tue, May 19, 2015 at 08:33:08AM +0200, Mario Lipinski wrote:
> Dear proftpd maintainers,
>
> following a recent press release [1], exploits [2] for this bug [3] exist
> and the bug seems to be unfixed in the currently supported oldstable and
> stable releases [4]. What about considering a security release or updating
> the security-tracker information?
>
> [1] http://www.heise.de/newsticker/meldung/Angreifer-nutzen-kritische-Luecke-in-ProFTPD-aus-2652114.html
> (German)
> [2] https://github.com/nootropics/propane
> [3] http://bugs.proftpd.org/show_bug.cgi?id=4169
> [4] https://security-tracker.debian.org/tracker/CVE-2015-3306
The information on the security tracker is indeed right. An update for
proftpd-dfsg for wheezy-security and jessie-security is in the works
and should be out hopefully soon.
HTH and Regards,
Salvatore
Reply sent
to Sebastien Delafond <seb@debian.org>:
You have taken responsibility.
(Wed, 20 May 2015 21:33:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 20 May 2015 21:33:15 GMT) (full text, mbox, link).
Message #27 received at 782781-close@bugs.debian.org (full text, mbox, reply):
Source: proftpd-dfsg
Source-Version: 1.3.5-1.1+deb8u1
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 782781@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 19 May 2015 12:53:10 +0200
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite proftpd-mod-geoip
Architecture: source amd64 all
Version: 1.3.5-1.1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
Changed-By: Sebastien Delafond <seb@debian.org>
Description:
proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
proftpd-mod-geoip - Versatile, virtual-hosting FTP daemon - GeoIP module
proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 782781
Changes:
proftpd-dfsg (1.3.5-1.1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Fix CVE-2015-3306: unauthenticated copying of files via SITE CPFR/CPTO
allowed by mod_copy (Closes: #782781)
Checksums-Sha1:
9300a7d395884993ce33d74a9ccf819a501f7d59 2426 proftpd-dfsg_1.3.5-1.1+deb8u1.dsc
7eef9570efe6c82c47b76163162432b9ba37f81d 7432816 proftpd-dfsg_1.3.5.orig.tar.gz
ce7c58c2501e981ec608d8dfc2ffdcfba73d5ad4 85580 proftpd-dfsg_1.3.5-1.1+deb8u1.debian.tar.xz
6815854811565bfc7519457098102ee3b455af6a 2459584 proftpd-basic_1.3.5-1.1+deb8u1_amd64.deb
9c4d318c22bfc02a362fe62a116cef833c8f1625 959160 proftpd-dev_1.3.5-1.1+deb8u1_amd64.deb
f68eacef41880364df26d2e21def5ee52b5542d7 476228 proftpd-mod-mysql_1.3.5-1.1+deb8u1_amd64.deb
2a2df4ac0a4606e7721a6e5b9d7794c310fc5fa5 475818 proftpd-mod-pgsql_1.3.5-1.1+deb8u1_amd64.deb
8dccaba823fc740557b737168890d38d5b228b06 484048 proftpd-mod-ldap_1.3.5-1.1+deb8u1_amd64.deb
53f19110f07b0dddbf8bee0d33d235a34318e15b 477132 proftpd-mod-odbc_1.3.5-1.1+deb8u1_amd64.deb
66be3eda8421745e6317a7e478374c76469608b3 475246 proftpd-mod-sqlite_1.3.5-1.1+deb8u1_amd64.deb
10a69de12454f0bd763e7d4371df3a415a6be828 476872 proftpd-mod-geoip_1.3.5-1.1+deb8u1_amd64.deb
c7976de7cc51fab2158a8c2df335c93a7f008458 948534 proftpd-doc_1.3.5-1.1+deb8u1_all.deb
Checksums-Sha256:
5a22429cc8742aa1a2a916058238585d8d1f8c1c5fcd2e672145af1cd10bb4d8 2426 proftpd-dfsg_1.3.5-1.1+deb8u1.dsc
8ac3104658b9ce7cf308d9abc3d4b38168f0a7fdc25c1d88c565dedf319ba287 7432816 proftpd-dfsg_1.3.5.orig.tar.gz
85497046c6a27e24bf19b351286542c45e41456fa82a62c33f01fecda64ca1c6 85580 proftpd-dfsg_1.3.5-1.1+deb8u1.debian.tar.xz
6e1e2a8d987c51dc72935c1b02d632700c7b750ca7d0b3cacc0d92e662e45b4d 2459584 proftpd-basic_1.3.5-1.1+deb8u1_amd64.deb
d246d7d1b1cde0aa72fca7ec4463b24233574400aa04812c36f43c9c104dc0c8 959160 proftpd-dev_1.3.5-1.1+deb8u1_amd64.deb
32788daa296ff51448097ba6dce270aa2f45fdc833154d4cba01443f4e64be8c 476228 proftpd-mod-mysql_1.3.5-1.1+deb8u1_amd64.deb
e3d03152c7004b71a8554ba8e3aabf07e1449e7f4aa70ecc893afa84ac409d5f 475818 proftpd-mod-pgsql_1.3.5-1.1+deb8u1_amd64.deb
c4dacfd47d2b090ef1faf347b35b83e2f0e9af17f475af895e7e2e7cffe45c31 484048 proftpd-mod-ldap_1.3.5-1.1+deb8u1_amd64.deb
afa95c46576766607133538bae8e445d24ee206e0de231878bc29f90ac629f37 477132 proftpd-mod-odbc_1.3.5-1.1+deb8u1_amd64.deb
eac0c4ce1fcf3cf2f8fa21c1ba5eef2c877f5588fddb710b2845522bd1e32ff8 475246 proftpd-mod-sqlite_1.3.5-1.1+deb8u1_amd64.deb
d17cf53d2fa6a0a323ce7954199ca314fdb021cbbe80626c388794ddad076551 476872 proftpd-mod-geoip_1.3.5-1.1+deb8u1_amd64.deb
06c7784102246bf2ede4651144224bed255d6f48d40213eebd739c7dc546262b 948534 proftpd-doc_1.3.5-1.1+deb8u1_all.deb
Files:
4965aa9722efd8ba339e7fe571d9d432 2426 net optional proftpd-dfsg_1.3.5-1.1+deb8u1.dsc
dd7b56fbba49bd47dc1eb5344c6a7ef8 7432816 net optional proftpd-dfsg_1.3.5.orig.tar.gz
03ce9da66719ea1acee54200562ce7f9 85580 net optional proftpd-dfsg_1.3.5-1.1+deb8u1.debian.tar.xz
1817f29611609d4f0bc12046c5b94671 2459584 net optional proftpd-basic_1.3.5-1.1+deb8u1_amd64.deb
e5aa8ce8f6112993320fa5fe116eddb0 959160 net optional proftpd-dev_1.3.5-1.1+deb8u1_amd64.deb
5fe8c44a9901e8e383f6cfd5a9a46dec 476228 net optional proftpd-mod-mysql_1.3.5-1.1+deb8u1_amd64.deb
294bc66117ade96376d82526bc5b8f7f 475818 net optional proftpd-mod-pgsql_1.3.5-1.1+deb8u1_amd64.deb
1937be9048a0381ac37dc044223f18d0 484048 net optional proftpd-mod-ldap_1.3.5-1.1+deb8u1_amd64.deb
dff3384cf58055855af9a3f522f3d492 477132 net optional proftpd-mod-odbc_1.3.5-1.1+deb8u1_amd64.deb
2380b68018bc0680244fcbf444b075e0 475246 net optional proftpd-mod-sqlite_1.3.5-1.1+deb8u1_amd64.deb
0ea1254f5e115a94bf2f0a99aa8071cc 476872 net optional proftpd-mod-geoip_1.3.5-1.1+deb8u1_amd64.deb
c7d19ec495de852050f2cd93400116ee 948534 doc optional proftpd-doc_1.3.5-1.1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJVW48jAAoJEBC+iYPz1Z1kD44H/3W3uKWGhNuK9LW3IugBRSrd
JSxAUmchP75g7NoF30vj/Cn+lRq+vnGoM9tWdYwgmhyDNOeCZ9xefs9bEvtCDNYv
3j6HhTFnvvVtot6/KyJPlr8wpPbGAsy4xNACLtTN45YTnCiyhUsrFubVeMbdCpVC
rHwh61pA33E8a/XyT3nW4AJ/aME4oVBBf5mQAao4/1SvtlT65HBwIevHUnc+Mr6t
d/HvCvC4YbeNxZQ8cq/oMIKfPFSeRCJHBXRpQqQnElP02917xyaXj6/2/2qSySrE
2IVcrFE78Bz0cXP061BV79uDRXcLn1F/oWc/r7PRHk4Llg7wZiUaWlL7bJoBFJU=
=3yYn
-----END PGP SIGNATURE-----
Reply sent
to Sebastien Delafond <seb@debian.org>:
You have taken responsibility.
(Wed, 20 May 2015 21:33:23 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 20 May 2015 21:33:23 GMT) (full text, mbox, link).
Message #32 received at 782781-close@bugs.debian.org (full text, mbox, reply):
Source: proftpd-dfsg
Source-Version: 1.3.4a-5+deb7u3
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 782781@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 19 May 2015 12:58:18 +0200
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite
Architecture: source amd64 all
Version: 1.3.4a-5+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
Changed-By: Sebastien Delafond <seb@debian.org>
Description:
proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 782781
Changes:
proftpd-dfsg (1.3.4a-5+deb7u3) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Fix CVE-2015-3306: unauthenticated copying of files via SITE CPFR/CPTO
allowed by mod_copy (Closes: #782781)
Checksums-Sha1:
5bbb02a22d4958072efa2f5e7425752da10c8d27 2234 proftpd-dfsg_1.3.4a-5+deb7u3.dsc
1d73bc886d83eb139289d5755978ac043bce0385 104140 proftpd-dfsg_1.3.4a-5+deb7u3.debian.tar.gz
ae1497c26c3dedc39db270ceeb37e7cba01038d7 2555262 proftpd-basic_1.3.4a-5+deb7u3_amd64.deb
2f827254efbbadd78202ab0538e511d8d51ba58a 1011238 proftpd-dev_1.3.4a-5+deb7u3_amd64.deb
fb49a69996d6ac7913fcb5aab8c41c8790fb2303 400298 proftpd-mod-mysql_1.3.4a-5+deb7u3_amd64.deb
f0c34306a323998e4db58e07d0882f34039d7059 399998 proftpd-mod-pgsql_1.3.4a-5+deb7u3_amd64.deb
27359b42d22b4662ca16aef8edccba7e9f53b153 409642 proftpd-mod-ldap_1.3.4a-5+deb7u3_amd64.deb
d3eeb8e9139397af4320adf671af6817dddad151 401454 proftpd-mod-odbc_1.3.4a-5+deb7u3_amd64.deb
a64abb06d10a2e1547fbd88c37127ad6f6cf415b 399462 proftpd-mod-sqlite_1.3.4a-5+deb7u3_amd64.deb
b9fbfea3d48898cedfe88e67e255946a27c896ac 1611348 proftpd-doc_1.3.4a-5+deb7u3_all.deb
Checksums-Sha256:
448d180739bdaed768c0c9eff0ad6b36028f61186dbe9b6f41410fe6b6b533e0 2234 proftpd-dfsg_1.3.4a-5+deb7u3.dsc
620e5f0bdc5af18fd740e3e83c57abd3c8c5e58f6cd0bdfabdee4558b8eef62b 104140 proftpd-dfsg_1.3.4a-5+deb7u3.debian.tar.gz
31ecc24fdf27845caa31dd8d8e955ef95e9000584d45651353a11a8b524e2674 2555262 proftpd-basic_1.3.4a-5+deb7u3_amd64.deb
42c185653215cc639c070856e09cac74dff69338041b2b1b1fb34898ce8a4862 1011238 proftpd-dev_1.3.4a-5+deb7u3_amd64.deb
2d166a60415413e3d85b09b691594552e24c4fbe42c88227da5f3f608395a162 400298 proftpd-mod-mysql_1.3.4a-5+deb7u3_amd64.deb
df2415039e0324237a8f79e3b97d20e05f6544c33dfa8909f100e0d8a6da5083 399998 proftpd-mod-pgsql_1.3.4a-5+deb7u3_amd64.deb
0d8f1a2e79ebe73d9107bd577dbef56daec8f709e391f93c0187cd393dc91d83 409642 proftpd-mod-ldap_1.3.4a-5+deb7u3_amd64.deb
eab26987cc65bf1da177cfcb6eeaa74d0866c54668c2f030d3f497dd852323e1 401454 proftpd-mod-odbc_1.3.4a-5+deb7u3_amd64.deb
10a0d2b1c03636d5fdcc55e786d9d3e52c1bf49965516b463dae982a921a290e 399462 proftpd-mod-sqlite_1.3.4a-5+deb7u3_amd64.deb
842b5a3505d89acb1d622db5a51864ffbc10b7208716843d99ff0f22460c3ba5 1611348 proftpd-doc_1.3.4a-5+deb7u3_all.deb
Files:
bcdde22ee9554395cd074fdbfd26c003 2234 net optional proftpd-dfsg_1.3.4a-5+deb7u3.dsc
8665f7b9eb21041ce13a131d350d7ed0 104140 net optional proftpd-dfsg_1.3.4a-5+deb7u3.debian.tar.gz
b451a6c954914c3c7bbd3d31a8566b3c 2555262 net optional proftpd-basic_1.3.4a-5+deb7u3_amd64.deb
682f00a08412612f99e22d89728f2749 1011238 net optional proftpd-dev_1.3.4a-5+deb7u3_amd64.deb
93483f44a0adefdbb07129768775a7ff 400298 net optional proftpd-mod-mysql_1.3.4a-5+deb7u3_amd64.deb
7f5ef758926e9a55964b932639dbf22b 399998 net optional proftpd-mod-pgsql_1.3.4a-5+deb7u3_amd64.deb
7207ce6f57508be2a2704ec63316a371 409642 net optional proftpd-mod-ldap_1.3.4a-5+deb7u3_amd64.deb
358a8a4bed50b76b2eeb7d656e5d3062 401454 net optional proftpd-mod-odbc_1.3.4a-5+deb7u3_amd64.deb
ac278eed7b7a55ce0dc162fcb047013f 399462 net optional proftpd-mod-sqlite_1.3.4a-5+deb7u3_amd64.deb
582fbf05e967fc67b25defe7814d947c 1611348 doc optional proftpd-doc_1.3.4a-5+deb7u3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJVW5YgAAoJEBC+iYPz1Z1kCAsH/iCMhtEf9bNWPribgt9UvkFh
1hMz7j/TL5aItvZcn6crIC5qxQx5peDxzGTrIXsEe4MDlQrDtpxHAtOrO0kQMh+c
HwpshJMnJM0ctuN6Ta9l0c2wTkFhTBaiLQ1cFY3b1ENv5UjeXS21tKkERj0Oio/K
Q4ogKRJc5Q4LzsqqHnXdQjrh60zXZsh9ZNyH486STU5gnVSxd+sHHG9nccNiF5cW
7n+NuvAQlDPyIX6CI/NjWd9L4mdamsjXIya9v/lQsy+RBrUXY80yea0NYeyWNbWT
ZgmvI0HEZP+sDtVigqYUZpetGhhhySTsuhCVWb0b04Teibr+Wbw8gLFLMuDgoHA=
=B/w4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 18 Jun 2015 07:30:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:30:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon