Your message dated Thu, 05 Mar 2020 18:47:15 +0000
with message-id <[email protected]>
and subject line Bug#951800: fixed in proftpd-dfsg 1.3.6-4+deb10u4
has caused the Debian Bug report #951800,
regarding CVE-2020-9273: buster affected
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
951800: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951800
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: proftpd-basic
Version: 1.3.6-4+deb10u3
Severity: important
Tags: upstream
This is to track CVE-2020-9273.
I'm not 100% sure if jessie is affected too. At least the
CVE does not report it.
Hilmar
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 5.4.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_GB.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages proftpd-basic depends on:
ii adduser 3.118
ii debianutils 4.9.1
ii libacl1 2.2.53-5
ii libc6 2.29-10
ii libcap2 1:2.32-1
ii libcrypt1 1:4.4.10-10
ii libhiredis0.14 0.14.0-6
ii libmemcached11 1.0.18-4.2
ii libmemcachedutil2 1.0.18-4.2
ii libncursesw6 6.1+20191019-1
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libpcre3 2:8.39-12+b1
ii libssl1.1 1.1.1d-2
ii libtinfo6 6.1+20191019-1
ii libwrap0 7.6.q-30
ii lsb-base 11.1.0
ii netbase 6.1
ii sed 4.7-1
ii ucf 3.0038+nmu1
ii zlib1g 1:1.2.11.dfsg-1.2
Versions of packages proftpd-basic recommends:
pn proftpd-doc <none>
Versions of packages proftpd-basic suggests:
ii openbsd-inetd [inet-superserver] 0.20160825-4+b1
ii openssl 1.1.1d-2
pn proftpd-mod-geoip <none>
pn proftpd-mod-ldap <none>
pn proftpd-mod-mysql <none>
pn proftpd-mod-odbc <none>
pn proftpd-mod-pgsql <none>
pn proftpd-mod-snmp <none>
pn proftpd-mod-sqlite <none>
-- debconf information:
* shared/proftpd/inetd_or_standalone: from inetd
--- End Message ---
--- Begin Message ---
Source: proftpd-dfsg
Source-Version: 1.3.6-4+deb10u4
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated proftpd-dfsg
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Feb 2020 22:23:14 +0100
Source: proftpd-dfsg
Architecture: source
Version: 1.3.6-4+deb10u4
Distribution: buster-security
Urgency: high
Maintainer: ProFTPD Maintainance Team
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 951800
Changes:
proftpd-dfsg (1.3.6-4+deb10u4) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Ensure that we do not reuse already-destroyed memory pools during data
transfers (CVE-2020-9273) (Closes: #951800)
* Clear the data-transfer instigating command pool but keep a memory pool.
Fixes regression in the %{transfer-status} LogFormat functionality.
Checksums-Sha1:
5061c2133acc7ff776d9fc3ffbd774ad8beb518c 2994 proftpd-dfsg_1.3.6-4+deb10u4.dsc
f80d38c1ed410cc1a6a7ba8df4c31f93e4e365fd 80960
proftpd-dfsg_1.3.6-4+deb10u4.debian.tar.xz
Checksums-Sha256:
2a5908768fffeb40aca0561892b726d5851f443bdcde3cd5dfbd06805c201d18 2994
proftpd-dfsg_1.3.6-4+deb10u4.dsc
61639fd8a2e4d7e99fd4c480fc4f5cdd59fbf6cd893bf99fafc0f02d2b3f84a7 80960
proftpd-dfsg_1.3.6-4+deb10u4.debian.tar.xz
Files:
fa453c45706e469e122754cdf5a748dd 2994 net optional
proftpd-dfsg_1.3.6-4+deb10u4.dsc
980ba89829e1a41320323c5550b939cc 80960 net optional
proftpd-dfsg_1.3.6-4+deb10u4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKlBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl5WsppfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E1J0P+ImxZelL658DCo10+zIcj75N/85VUGaW
AxX+p7Bojg6/QDaEcE0CYpedi03d03xLjzho9e2uIGGuYuK9ZVuvMWoZpt475Vfh
a+G6pUfD+IAPxVWjtk10qjb5hLww6Zx5oKaNRTLzbIi43gXoCYhhF3pIDzfdg4PL
C3XWyciix+auhWDbEim66idO4ghwLsHQGJXf3OMoyosztc4rkqcrzjNk2yAoxZiG
14zWKXkSe4FNs7e1hFejcIpcPqBn0Fxy+wqVQvNVsVMzNguYA+KqPj5xF8RKW6Z+
XlwCWMq08cKCmzqInFjyZM3z+hilIEAEFRlhOZviPQKDipvaMjYPB+i8KCK/Nu5Z
GT/feNdPWCtyqyIcsxyi6sbrFOl2utoiNzWqhPNNs9rw7Kc7VfK8X2Y56w48kSZ2
zTamJg3fhrHPj7V5++Yqk6NPcl30h6qbMP0KLzon7b5NHaLwKP2QnKuIzGkFARie
xF4/E68Hxwm+zKs6AE8tyyWdxvgpqQEBO9AuYe/NbL76Azv2Jz18T1zE1OFCuW+l
VTBhWB4tZzO6bOq1VERPE5CmyTGuP47/nOq5Aw/aYhtEc73Wo1UBlVdJEFz83dS8
QcXfu+lLv8Xa6PuEKIS3ArXX3dDVe1dzwiv4jrK8k5WPWkM/+F2j+4GBUikaf0Kj
/nb0Mrg8pX0=
=95E3
-----END PGP SIGNATURE-----
--- End Message ---
