Your message dated Fri, 17 Oct 2008 02:02:09 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#500518: fixed in linux-ftpd-ssl 0.17.27+0.3-3
has caused the Debian Bug report #500518,
regarding ftpd: command line split (CSRF)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
500518: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500518
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: ftpd
Version: 0.17-23
Severity: normal
Similar to recent OpenBSD changes:
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
this Debian package seems vulnerable to the same issue
(and I expect the solution here to be the same).
See also:
multiple vendor ftpd - Cross-site request forgery
http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064697.html
(My setting of severity on this bug is probably alarmist...)
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-pk02.19-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages ftpd depends on:
ii libc6 2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii libpam-modules 0.79-5 Pluggable Authentication Modules f
ii libpam0g 0.79-5 Pluggable Authentication Modules l
ii netbase 4.29 Basic TCP/IP networking system
ftpd recommends no packages.
-- debconf information:
* ftpd/globattack:
--- End Message ---
--- Begin Message ---
Source: linux-ftpd-ssl
Source-Version: 0.17.27+0.3-3
We believe that the bug you reported is fixed in the latest version of
linux-ftpd-ssl, which is due to be installed in the Debian FTP archive:
ftpd-ssl_0.17.27+0.3-3_i386.deb
to pool/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.27+0.3-3_i386.deb
linux-ftpd-ssl_0.17.27+0.3-3.diff.gz
to pool/main/l/linux-ftpd-ssl/linux-ftpd-ssl_0.17.27+0.3-3.diff.gz
linux-ftpd-ssl_0.17.27+0.3-3.dsc
to pool/main/l/linux-ftpd-ssl/linux-ftpd-ssl_0.17.27+0.3-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ian Beckwith <[EMAIL PROTECTED]> (supplier of updated linux-ftpd-ssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 16 Oct 2008 22:13:23 +0100
Source: linux-ftpd-ssl
Binary: ftpd-ssl
Architecture: source i386
Version: 0.17.27+0.3-3
Distribution: unstable
Urgency: high
Maintainer: Ian Beckwith <[EMAIL PROTECTED]>
Changed-By: Ian Beckwith <[EMAIL PROTECTED]>
Description:
ftpd-ssl - FTP server with SSL encryption support
Closes: 500518
Changes:
linux-ftpd-ssl (0.17.27+0.3-3) unstable; urgency=high
.
* Fix command line split CSRF (Closes: #500518)
Addresses CVE-2008-4242 and CVE-2008-4247.
Checksums-Sha1:
8ea816e1e189c3f2e2da1bfe2e4440adb9fa4591 1115 linux-ftpd-ssl_0.17.27+0.3-3.dsc
400de2fe0b7e39bb55199eb9cdacc77138da5dcf 33362
linux-ftpd-ssl_0.17.27+0.3-3.diff.gz
6b583112c7c92db914956668bc6d3bfc3455cba3 55002 ftpd-ssl_0.17.27+0.3-3_i386.deb
Checksums-Sha256:
8affc9cb8a9adcb56366fadc1786794c5fb641a5d50b1ef37cfe4f33599e3083 1115
linux-ftpd-ssl_0.17.27+0.3-3.dsc
780742aff36d2143e66300573ce42ffe06cb96a2e942b018e0ee79e90e1ba4ce 33362
linux-ftpd-ssl_0.17.27+0.3-3.diff.gz
7ce7138e573fd19ce4537dbb4399cc2b88bf247a013ba1e4ee85452154546611 55002
ftpd-ssl_0.17.27+0.3-3_i386.deb
Files:
0aa5c8c6473bbdcc962131bb6346d378 1115 net extra
linux-ftpd-ssl_0.17.27+0.3-3.dsc
22fe10928373fae88ca668b646573d45 33362 net extra
linux-ftpd-ssl_0.17.27+0.3-3.diff.gz
aa9385849e0db2250a2666eb44aa9750 55002 net extra
ftpd-ssl_0.17.27+0.3-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj3yWEACgkQQOzBVKi6weqMGwCgl3aiPeb/BkXinRI1eeE0h/MC
c5YAn2FwJqaBUA9OL/BSHsYNY2+pFP/f
=mBO6
-----END PGP SIGNATURE-----
--- End Message ---
