Package: proftpd Version: 1.3.0-4 Severity: grave Tags: security Justification: user security hole
Hi, Net ACLs in proftpd 1.3.0 seem to be buggy. Specifying a network using either CIDR notation or a wildcard leads to proftpd granting access to every clients regardless of their IP address. My configuration: <Limit LOGIN> Order allow,deny Allow from ::ffff:127.0.0.1,::ffff:62.4.18.94,::ffff:10.1.1.0/24,::ffff:10.1.2.0/24,::ffff:62.4.21.144/29 Deny from all </Limit> JB. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages proftpd depends on: ii adduser 3.87 Add and remove users and groups ii debconf 1.5.0 Debian configuration management sy ii debianutils 2.16 Miscellaneous utilities specific t ii libacl1 2.2.36-1 Access control list shared library ii libattr1 2.4.32-1 Extended attribute shared library ii libc6 2.3.6-7 GNU C Library: Shared libraries ii libldap2 2.1.30-13 OpenLDAP libraries ii libmysqlclient15off 5.0.20a-2 mysql database client library ii libncurses5 5.5-1.1 Shared libraries for terminal hand ii libpam-runtime 0.79-3.1 Runtime support for the PAM librar ii libpam0g 0.79-3.1 Pluggable Authentication Modules l ii libpq4 8.1.3-4 PostgreSQL C client library ii libssl0.9.8 0.9.8a-8 SSL shared libraries ii libwrap0 7.6.dbs-9 Wietse Venema's TCP wrappers libra ii netbase 4.25 Basic TCP/IP networking system ii perl 5.8.8-4 Larry Wall's Practical Extraction ii ucf 2.009 Update Configuration File: preserv ii zlib1g 1:1.2.3-11 compression library - runtime proftpd recommends no packages. -- debconf information: * shared/proftpd/warning: * shared/proftpd/inetd_or_standalone: standalone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
