Your message dated Tue, 23 May 2006 01:17:15 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#368301: fixed in proftpd 1.3.0-8
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: proftpd
Version: 1.3.0-7
Severity: grave
Tags: security
Hello Francesco,
proftpd include a trapdoor rpath to /users/frankie/...
%chrpath usr/sbin/proftpd
usr/sbin/proftpd:
RPATH=/users/frankie/debian/mypkgs/proftpd/current/proftpd-1.3.0/debian/tmp/usr/sbin
This rpath allows a user with home directory /users/frankie/ to install
trojaned libraries and wait for proftpd to start.
Cheers,
--
Bill. <[EMAIL PROTECTED]>
Imagine a large red swirl here.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
--- End Message ---
--- Begin Message ---
Source: proftpd
Source-Version: 1.3.0-8
We believe that the bug you reported is fixed in the latest version of
proftpd, which is due to be installed in the Debian FTP archive:
proftpd-doc_1.3.0-8_all.deb
to pool/main/p/proftpd/proftpd-doc_1.3.0-8_all.deb
proftpd-ldap_1.3.0-8_all.deb
to pool/main/p/proftpd/proftpd-ldap_1.3.0-8_all.deb
proftpd-mysql_1.3.0-8_all.deb
to pool/main/p/proftpd/proftpd-mysql_1.3.0-8_all.deb
proftpd-pgsql_1.3.0-8_all.deb
to pool/main/p/proftpd/proftpd-pgsql_1.3.0-8_all.deb
proftpd_1.3.0-8.diff.gz
to pool/main/p/proftpd/proftpd_1.3.0-8.diff.gz
proftpd_1.3.0-8.dsc
to pool/main/p/proftpd/proftpd_1.3.0-8.dsc
proftpd_1.3.0-8_i386.deb
to pool/main/p/proftpd/proftpd_1.3.0-8_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <[EMAIL PROTECTED]> (supplier of updated proftpd
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 22 May 2006 12:22:51 +0200
Source: proftpd
Binary: proftpd proftpd-mysql proftpd-pgsql proftpd-ldap proftpd-doc
Architecture: source all i386
Version: 1.3.0-8
Distribution: unstable
Urgency: medium
Maintainer: Francesco Paolo Lovergine <[EMAIL PROTECTED]>
Changed-By: Francesco Paolo Lovergine <[EMAIL PROTECTED]>
Description:
proftpd - Versatile, virtual-hosting FTP daemon
proftpd-doc - Versatile, virtual-hosting FTP daemon (Documentation)
proftpd-ldap - Versatile, virtual-hosting FTP daemon (dummy transitional
package
proftpd-mysql - Versatile, virtual-hosting FTP daemon (dummy transitional
package
proftpd-pgsql - Versatile, virtual-hosting FTP daemon (dummy transitional
package
Closes: 368301
Changes:
proftpd (1.3.0-8) unstable; urgency=medium
.
* New patch for configure.in/configure (remove_rpath) to remove rpath adding
at libtool installation time.
(closes: #368301)
* Updated patch ipv6_cidr_warn.dpatch to the latest version in CVS.
See http://bugs.proftpd.org/show_bug.cgi?id=2785
Files:
91e93e5692a53d5b0437aecf3716751d 893 net optional proftpd_1.3.0-8.dsc
1f270e9d9807321eb238e7e08ad5ec25 155913 net optional proftpd_1.3.0-8.diff.gz
e0d2911f94db44c0a2f7362c07e8f2c7 622130 net optional proftpd_1.3.0-8_i386.deb
6d1f8d28f3f1d4ff7fae094eb0e9bfed 480842 doc optional
proftpd-doc_1.3.0-8_all.deb
ecefcb1cca2336d08d5e64a730830d47 161182 net optional
proftpd-mysql_1.3.0-8_all.deb
eaeffbfe20c7f2d379fe8e7295f55b65 161184 net optional
proftpd-pgsql_1.3.0-8_all.deb
0a7cb39ff03fc3de63dba87e3093fadf 161178 net optional
proftpd-ldap_1.3.0-8_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEcsHmpFNRmenyx0cRAt/8AKCkGJN36fcbfcBY77HrGo2EYwJ+sQCfTXXC
S9ysju8gOHAm2Z/RNJeLf0g=
=XFC8
-----END PGP SIGNATURE-----
--- End Message ---
