Package: ftpd Version: 0.17-23 Severity: normal
Similar to recent OpenBSD changes: http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y this Debian package seems vulnerable to the same issue (and I expect the solution here to be the same). See also: multiple vendor ftpd - Cross-site request forgery http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064697.html (My setting of severity on this bug is probably alarmist...) Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-pk02.19-svr Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages ftpd depends on: ii libc6 2.3.6.ds1-13etch7 GNU C Library: Shared libraries ii libpam-modules 0.79-5 Pluggable Authentication Modules f ii libpam0g 0.79-5 Pluggable Authentication Modules l ii netbase 4.29 Basic TCP/IP networking system ftpd recommends no packages. -- debconf information: * ftpd/globattack: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
