Your message dated Sat, 03 Jan 2009 19:52:23 +0000
with message-id <e1ljcxn-0000yz...@ries.debian.org>
and subject line Bug#500518: fixed in linux-ftpd-ssl 0.17.18+0.3-6etch1
has caused the Debian Bug report #500518,
regarding ftpd: command line split (CSRF)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
500518: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500518
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ftpd
Version: 0.17-23
Severity: normal
Similar to recent OpenBSD changes:
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
this Debian package seems vulnerable to the same issue
(and I expect the solution here to be the same).
See also:
multiple vendor ftpd - Cross-site request forgery
http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064697.html
(My setting of severity on this bug is probably alarmist...)
Cheers,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-pk02.19-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages ftpd depends on:
ii libc6 2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii libpam-modules 0.79-5 Pluggable Authentication Modules f
ii libpam0g 0.79-5 Pluggable Authentication Modules l
ii netbase 4.29 Basic TCP/IP networking system
ftpd recommends no packages.
-- debconf information:
* ftpd/globattack:
--- End Message ---
--- Begin Message ---
Source: linux-ftpd-ssl
Source-Version: 0.17.18+0.3-6etch1
We believe that the bug you reported is fixed in the latest version of
linux-ftpd-ssl, which is due to be installed in the Debian FTP archive:
ftpd-ssl_0.17.18+0.3-6etch1_i386.deb
to pool/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-6etch1_i386.deb
linux-ftpd-ssl_0.17.18+0.3-6etch1.diff.gz
to pool/main/l/linux-ftpd-ssl/linux-ftpd-ssl_0.17.18+0.3-6etch1.diff.gz
linux-ftpd-ssl_0.17.18+0.3-6etch1.dsc
to pool/main/l/linux-ftpd-ssl/linux-ftpd-ssl_0.17.18+0.3-6etch1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 500...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ian Beckwith <i...@erislabs.net> (supplier of updated linux-ftpd-ssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 07 Dec 2008 23:48:44 +0000
Source: linux-ftpd-ssl
Binary: ftpd-ssl
Architecture: source i386
Version: 0.17.18+0.3-6etch1
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Cai Qian <caiq...@debian.org>
Changed-By: Ian Beckwith <i...@erislabs.net>
Description:
ftpd-ssl - FTP server with SSL encryption support
Closes: 500518
Changes:
linux-ftpd-ssl (0.17.18+0.3-6etch1) stable-proposed-updates; urgency=low
.
* Fix CVE-2008-4247, a cross-site request forgery caused by splitting
long command lines (Closes: #500518).
Files:
aa4958bf1cd39f0f0efc4ce97f836a5d 647 net extra
linux-ftpd-ssl_0.17.18+0.3-6etch1.dsc
2a139a000b0a7ed888a13e3a30dd8647 7101 net extra
linux-ftpd-ssl_0.17.18+0.3-6etch1.diff.gz
ff499eeb9d79ec213ca47aee5f89d38c 50058 net extra
ftpd-ssl_0.17.18+0.3-6etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklT6oAACgkQ97LBwbNFvdMx1wCfXjrZJObnQoP35M/Hx0WwUarl
2hcAn3WUZ8Upz9ds6XOEKt3nKgsTDAK/
=12m+
-----END PGP SIGNATURE-----
--- End Message ---
