Francesco P. Lovergine wrote: > On Tue, Jan 01, 2008 at 07:16:53PM +0100, Nico Golde wrote: >> Hi, >> the following CVE (Common Vulnerabilities & Exposures) id was >> published for proftpd some time ago. >> >> CVE-2007-2165[0]: >> | The Auth API in ProFTPD before 20070417, when multiple simultaneous >> | authentication modules are configured, does not require that the >> | module that checks authentication is the same as the module that >> | retrieves authentication data, which might allow remote attackers to >> | bypass authentication, as demonstrated by use of SQLAuthTypes >> | Plaintext in mod_sql, with data retrieved from /etc/passwd. >> >> Unfortunately the vulnerability described above is not important enough >> to get it fixed via regular security update in Debian >> oldstable/stable. It does >> not warrant a DSA. >> >> However it would be nice if this could get fixed via a regular point >> update[1]. >> Please contact the release team for this. >> >> This is an automatically generated mail, in case you are already working on >> an >> upgrade this is of course pointless. >> >> You can see the status of this vulnerability on: >> http://security-tracker.debian.net/tracker/CVE-2007-2165 >> >> For further information: >> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2165 >> [1] >> http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload-stable >> >> Kind regards >> Nico >> > > Yes, indeed I pointed that months ago to secteam without so much > interest due to the nature of the issue I think. I can prepare > a new version for a point release anyway starting from 1.2.10-22, > and limiting the changes to a specific patch. Maybe I should have > a sec update of the time somewhere, too...
Please send a diff. Thanks already. Cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
