Your message dated Fri, 11 Dec 2009 10:22:31 +0000
with message-id <[email protected]>
and subject line Bug#559842: fixed in proftpd-dfsg 1.3.2c-1
has caused the Debian Bug report #559842,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559842: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559842
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: proftpd-dfsg
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: proftpd-dfsg
Source-Version: 1.3.2c-1
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive:
proftpd-basic_1.3.2c-1_i386.deb
to main/p/proftpd-dfsg/proftpd-basic_1.3.2c-1_i386.deb
proftpd-dev_1.3.2c-1_i386.deb
to main/p/proftpd-dfsg/proftpd-dev_1.3.2c-1_i386.deb
proftpd-dfsg_1.3.2c-1.diff.gz
to main/p/proftpd-dfsg/proftpd-dfsg_1.3.2c-1.diff.gz
proftpd-dfsg_1.3.2c-1.dsc
to main/p/proftpd-dfsg/proftpd-dfsg_1.3.2c-1.dsc
proftpd-dfsg_1.3.2c.orig.tar.gz
to main/p/proftpd-dfsg/proftpd-dfsg_1.3.2c.orig.tar.gz
proftpd-doc_1.3.2c-1_all.deb
to main/p/proftpd-dfsg/proftpd-doc_1.3.2c-1_all.deb
proftpd-mod-ldap_1.3.2c-1_i386.deb
to main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.2c-1_i386.deb
proftpd-mod-mysql_1.3.2c-1_i386.deb
to main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.2c-1_i386.deb
proftpd-mod-odbc_1.3.2c-1_i386.deb
to main/p/proftpd-dfsg/proftpd-mod-odbc_1.3.2c-1_i386.deb
proftpd-mod-pgsql_1.3.2c-1_i386.deb
to main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.2c-1_i386.deb
proftpd-mod-sqlite_1.3.2c-1_i386.deb
to main/p/proftpd-dfsg/proftpd-mod-sqlite_1.3.2c-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <[email protected]> (supplier of updated
proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 11 Dec 2009 09:42:48 +0100
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql
proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite
Architecture: source i386 all
Version: 1.3.2c-1
Distribution: unstable
Urgency: low
Maintainer: Francesco Paolo Lovergine <[email protected]>
Changed-By: Francesco Paolo Lovergine <[email protected]>
Description:
proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 553406 555862 558597 559842
Changes:
proftpd-dfsg (1.3.2c-1) unstable; urgency=low
.
* New upstream release, with fix of CVE-2009-3736 due to update of the
embedded liblt with a backported fix.
(closes: #553406, #555862, #559842)
Merged patches: 3324, 3328.
* Added a note about AllowClientRenegotiations option for TLS protocols in
NEWS
and a commented directive in tls.conf subfile.
(closes: #558597)
Checksums-Sha1:
0edf0a1f297198398767391c292c236e444364e6 1384 proftpd-dfsg_1.3.2c-1.dsc
2bf1df38e8916d9b615f7e0eafc3d7dc3428ab25 3018899
proftpd-dfsg_1.3.2c.orig.tar.gz
02549a4962d87023ece757e4ac4cf64041fa1880 95407 proftpd-dfsg_1.3.2c-1.diff.gz
06145c37e4a4b13942c37c28448ff35e2fc7f18e 857420 proftpd-basic_1.3.2c-1_i386.deb
78a3f70e79432a8cc596df2c80bc84df78aa9dd7 588696 proftpd-dev_1.3.2c-1_i386.deb
a39876880d236af409ed62bc23a744fa7df0507e 303606
proftpd-mod-mysql_1.3.2c-1_i386.deb
9e1509afbf434f9dad7890729fe19a3b2917e2ea 303558
proftpd-mod-pgsql_1.3.2c-1_i386.deb
c132c2b39bdfddee1865a49304bc4336119789bd 312216
proftpd-mod-ldap_1.3.2c-1_i386.deb
3acf3191d8a3243f165a7b3387cd6f522c73a3bc 305500
proftpd-mod-odbc_1.3.2c-1_i386.deb
ca8bd6b18d95bec3e1c286ff29985c6e2a397c4d 303468
proftpd-mod-sqlite_1.3.2c-1_i386.deb
d9994b4689c628c1fb6eb972b9cf6170e11865ec 1408580 proftpd-doc_1.3.2c-1_all.deb
Checksums-Sha256:
fad67a45eb109835bac3444dcd7c120d814e960ae559b4b887b3c2033421db87 1384
proftpd-dfsg_1.3.2c-1.dsc
78bb96ed1127e4fcd9275612e80b8c60c65516d16f9738f19053390096717d9c 3018899
proftpd-dfsg_1.3.2c.orig.tar.gz
c9c1072cdb8a591a6811c47d9f9505f98940141463c48732edd6c777a46fa8d1 95407
proftpd-dfsg_1.3.2c-1.diff.gz
6ac5add5d63bcda48bf399bea8c9af2cdb61f901a7414831186470959fb750ba 857420
proftpd-basic_1.3.2c-1_i386.deb
030dcf892f07017b2e7497164aebca1a9b6415b685a19ce86c1b78f1e265ba96 588696
proftpd-dev_1.3.2c-1_i386.deb
03e9797c1f060a39173cad9034dbf97f863b8a98bb6771ffb904c790d5eb638e 303606
proftpd-mod-mysql_1.3.2c-1_i386.deb
7c62c3781e51fdbf3ecd7f0ad4882c3d23b5acb9bbfecf5fe59f14f0099cd498 303558
proftpd-mod-pgsql_1.3.2c-1_i386.deb
2acb276c75f9542d5e3ec3271af7aada6a9d76f295da3330532f68ec2d0d55f2 312216
proftpd-mod-ldap_1.3.2c-1_i386.deb
85c8d0fb13680463f92f75131ef9e9bf0ab4f2ef6806b1870372431c4993f42a 305500
proftpd-mod-odbc_1.3.2c-1_i386.deb
cc930e07641087facb1040a334fe5a271c1ca1cedba2779950fdb64afe50747e 303468
proftpd-mod-sqlite_1.3.2c-1_i386.deb
6db3ac5480ea39fb670a42339c0a3825ef2eef30583310e02431992762020ddf 1408580
proftpd-doc_1.3.2c-1_all.deb
Files:
c3c37dfda0995d7c9ee87d489f9abbbe 1384 net optional proftpd-dfsg_1.3.2c-1.dsc
0e6e29f707efbec4b43cf7a44811c166 3018899 net optional
proftpd-dfsg_1.3.2c.orig.tar.gz
a2aa987c1ec6c18045ac23e1a8e576d3 95407 net optional
proftpd-dfsg_1.3.2c-1.diff.gz
a972137394d2e23bd33dda8765ec774d 857420 net optional
proftpd-basic_1.3.2c-1_i386.deb
45e89b24a57fb2e4a8e72270709a1d9e 588696 net optional
proftpd-dev_1.3.2c-1_i386.deb
3da2653f99d688bdbf20ac901dc679ce 303606 net optional
proftpd-mod-mysql_1.3.2c-1_i386.deb
1478171988f1f27c5a62c065abe18887 303558 net optional
proftpd-mod-pgsql_1.3.2c-1_i386.deb
85d4e4489528d5b694b7931d23e28430 312216 net optional
proftpd-mod-ldap_1.3.2c-1_i386.deb
66ed25a1a9a8c6e507014e22ac9dd441 305500 net optional
proftpd-mod-odbc_1.3.2c-1_i386.deb
18ef671c1746f438fadb431ed5c14df6 303468 net optional
proftpd-mod-sqlite_1.3.2c-1_i386.deb
ff0fbd98beb046f3c4084999830854ed 1408580 doc optional
proftpd-doc_1.3.2c-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksiGsYACgkQpFNRmenyx0feKwCfYai2hUdo4tlhOkRWMQG1jFlJ
p9IAn0F5sVXEnvojLFL2/hiRaMf3SGCa
=2Rth
-----END PGP SIGNATURE-----
--- End Message ---
