Hi Chris, On Fri, Feb 21, 2020 at 12:32:12PM -0800, Chris Lamb wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Package : proftpd-dfsg > Version : 1.3.5e+r1.3.5-2+deb8u6 > CVE ID : CVE-2020-9273 > > It was discovered that there was a a use-after-free vulnerability in > in the proftpd-dfsg FTP server. > > Exploitation of this vulnerability within the memory pool handling > could have allowed a remote attacker to execute arbitrary code on the > affected system. > > For Debian 8 "Jessie", this issue has been fixed in proftpd-dfsg version > 1.3.5e+r1.3.5-2+deb8u6.
Heads-up on this proftpd-dfsg update. This would need a (functional) regression update, as upstream noticed a problem with the initial commit (and it regressed a use-case with LogFormat functionality). See: https://bugs.debian.org/952557 Regards, Salvatore
