Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Feb 2009 12:13:42 -0700
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request for proftpd

* [2009-02-11 10:58:05 -0800] TJ Saunders wrote:

>> An SQL injection vulnerability in proftpd was reported on bugtraq
>> yesterday that could allow a user to login to proftpd with any password
>> if they use mysql for authentication (and, presumably, postgresql).
>> 
>> References:
>> 
>> http://www.securityfocus.com/archive/1/500823/30/0/threaded
>> http://bugs.gentoo.org/show_bug.cgi?id=258450
>> http://bugs.proftpd.org/show_bug.cgi?id=3180
>> https://bugzilla.redhat.com/show_bug.cgi?id=485125
>
>This has been reported on the ProFTPD Bugzilla:
>
>  http://bugs.proftpd.org/show_bug.cgi?id=3180

Yeah, I noted that above.  =)

>As discussed there, this is a duplicate of an earlier bug:
>
>  http://bugs.proftpd.org/show_bug.cgi?id=3124
>
>and has been fixed in ProFTPD 1.3.2rc3 and later.

Thanks, TJ.  I just read the comments and the duplicate note a few
minutes ago and was going to reply to it.

We still need a CVE name, however.  Bug #3124 does not note any kind of
security impact, which there clearly is, so I don't believe a CVE name
had been assigned to this previously (at least not that I could find).

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ