On Tue, Jan 01, 2008 at 07:16:53PM +0100, Nico Golde wrote: > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for proftpd some time ago. > > CVE-2007-2165[0]: > | The Auth API in ProFTPD before 20070417, when multiple simultaneous > | authentication modules are configured, does not require that the > | module that checks authentication is the same as the module that > | retrieves authentication data, which might allow remote attackers to > | bypass authentication, as demonstrated by use of SQLAuthTypes > | Plaintext in mod_sql, with data retrieved from /etc/passwd. > > Unfortunately the vulnerability described above is not important enough > to get it fixed via regular security update in Debian > oldstable/stable. It does > not warrant a DSA. > > However it would be nice if this could get fixed via a regular point > update[1]. > Please contact the release team for this. > > This is an automatically generated mail, in case you are already working on an > upgrade this is of course pointless. > > You can see the status of this vulnerability on: > http://security-tracker.debian.net/tracker/CVE-2007-2165 > > For further information: > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2165 > [1] > http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload-stable > > Kind regards > Nico >
Yes, indeed I pointed that months ago to secteam without so much interest due to the nature of the issue I think. I can prepare a new version for a point release anyway starting from 1.2.10-22, and limiting the changes to a specific patch. Maybe I should have a sec update of the time somewhere, too... -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
