Your message dated Fri, 04 Mar 2011 08:50:10 +0000
with message-id <e1pvqia-00011b...@franck.debian.org>
and subject line Bug#616179: fixed in proftpd-dfsg 1.3.3d-4
has caused the Debian Bug report #616179,
regarding proftpd: mod_sftp integer overflow / CVE-2011-1137
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
616179: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616179
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: proftpd-basic
Version: 1.3.3a-6
Tags: security
Severity: grave
Package proftpd-basic got assigned by CVE-2011-1137 "mod_sftp integer
overflow". Packages might be vulnerable. Security tracker should also be
updated. This needs verifying.
References:
http://www.openwall.com/lists/oss-security/2011/03/02/5
http://bugs.proftpd.org/show_bug.cgi?id=3586
http://www.exploit-db.com/exploits/16129/
http://www.castaglia.org/proftpd/modules/mod_sftp.html
Best regards,
Henri Salo
--- End Message ---
--- Begin Message ---
Source: proftpd-dfsg
Source-Version: 1.3.3d-4
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive:
proftpd-basic_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-basic_1.3.3d-4_amd64.deb
proftpd-dev_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-dev_1.3.3d-4_amd64.deb
proftpd-dfsg_1.3.3d-4.debian.tar.gz
to main/p/proftpd-dfsg/proftpd-dfsg_1.3.3d-4.debian.tar.gz
proftpd-dfsg_1.3.3d-4.dsc
to main/p/proftpd-dfsg/proftpd-dfsg_1.3.3d-4.dsc
proftpd-doc_1.3.3d-4_all.deb
to main/p/proftpd-dfsg/proftpd-doc_1.3.3d-4_all.deb
proftpd-mod-ldap_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.3d-4_amd64.deb
proftpd-mod-mysql_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.3d-4_amd64.deb
proftpd-mod-odbc_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-odbc_1.3.3d-4_amd64.deb
proftpd-mod-pgsql_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.3d-4_amd64.deb
proftpd-mod-sqlite_1.3.3d-4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-sqlite_1.3.3d-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 616...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <fran...@debian.org> (supplier of updated
proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 04 Mar 2011 00:42:18 +0100
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql
proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite
Architecture: source amd64 all
Version: 1.3.3d-4
Distribution: unstable
Urgency: high
Maintainer: ProFTPD Maintainance Team
<pkg-proftpd-maintain...@lists.alioth.debian.org>
Changed-By: Francesco Paolo Lovergine <fran...@debian.org>
Description:
proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 613527 616179 616336
Changes:
proftpd-dfsg (1.3.3d-4) unstable; urgency=high
.
* Fixed previous changelog.
* Now proftpd.conf includes /etc/proftpd/conf.d contents to allow custom
configurations being loaded after system ones in separate files.
* Added README.Debian for proftpd-dev to explain how to build add-on
modules.
* [PATCH] silent remove excessive verbosity at startup about conf.d
directory parsing.
* Updated debian/NEWS file with information about new conf.d directory.
* Now configuration file name can be overriden at run-time.
(closes: #613527)
* Now uses Breaks instead of Conflicts against pre-squeeze proftpd package.
* [SECURITY,PATCH] CVE-2011-1137: mod_sftp behaves badly when receiving
badly formed SSH messages.
(closes: #616179)
* Updated Czech debconf template.
(closes: #616336)
Checksums-Sha1:
8fb8dcb385ef3796654a2c87de847fb41b193d25 1625 proftpd-dfsg_1.3.3d-4.dsc
3fff72d49f50402002661fb01ff22352f5b59a4b 102740
proftpd-dfsg_1.3.3d-4.debian.tar.gz
98a281e0b89c09dd6e95400650e7d7f34489e857 2421340
proftpd-basic_1.3.3d-4_amd64.deb
a9cc550e576a37ce9e282411d97643f89c74ebc4 907846 proftpd-dev_1.3.3d-4_amd64.deb
ef3509c5feae7b773c3c68d602ea677ed0e3d9d4 362694
proftpd-mod-mysql_1.3.3d-4_amd64.deb
80f02e9b035a23306b22a04c8cdd295f7fc915ef 362384
proftpd-mod-pgsql_1.3.3d-4_amd64.deb
92d0b891c2f318489d9d0ae889c85090e1f424b4 372296
proftpd-mod-ldap_1.3.3d-4_amd64.deb
c4b06e69ed4df20bbb5b34eb124106579db0d892 364076
proftpd-mod-odbc_1.3.3d-4_amd64.deb
580225678068e3d00acd89fe9e8eca2637de46df 361846
proftpd-mod-sqlite_1.3.3d-4_amd64.deb
ceb545b7ef6921cf8fc53a55fd8267045061650e 1525564 proftpd-doc_1.3.3d-4_all.deb
Checksums-Sha256:
d29356ce31d02414253baaa5548911fd23101a67166c77de1ca3dcbef07c8c99 1625
proftpd-dfsg_1.3.3d-4.dsc
0c6b3b998e1d5099bb88d36a4364c3bf75630a476b38ce02be07fd431f6bc710 102740
proftpd-dfsg_1.3.3d-4.debian.tar.gz
6488b9e776ab60c6f30d1b610511488994b3e19883d12698f25f98b9a4c4e5ff 2421340
proftpd-basic_1.3.3d-4_amd64.deb
af3ded3985c9f984783c0dd0a9d5b13623a09a5e499538d76249691cf43fa32c 907846
proftpd-dev_1.3.3d-4_amd64.deb
5ecc11d828573ebf2d5e4406bdb65485079dcad0e0ab11a51301db20e72597f4 362694
proftpd-mod-mysql_1.3.3d-4_amd64.deb
be10cd2150353cc9dd595dd71a80887d22b2f682454c5ddcf9325623274380af 362384
proftpd-mod-pgsql_1.3.3d-4_amd64.deb
924008de40fb37b19c9d04c88fba469ae1d151fcd24f8d2fff45a0cae8efb118 372296
proftpd-mod-ldap_1.3.3d-4_amd64.deb
76d2f10fb639821c4faac3800effe72fbf2e0867e68bf2e74506512ace9a5bc4 364076
proftpd-mod-odbc_1.3.3d-4_amd64.deb
37d6657feccb959c9b5f4b5675fba53411f92a81025f31853e8ac147c3cc9533 361846
proftpd-mod-sqlite_1.3.3d-4_amd64.deb
d8999c2c2dc2a9f247f802dcff7214f6503dd1135357ec7ac025565f92d17df2 1525564
proftpd-doc_1.3.3d-4_all.deb
Files:
df53fbbcf27424a3099ab1242c4d3836 1625 net optional proftpd-dfsg_1.3.3d-4.dsc
5982783c5f15cc984375deee2406d2c1 102740 net optional
proftpd-dfsg_1.3.3d-4.debian.tar.gz
0e11f3540d428b3169971e0d5a3815e0 2421340 net optional
proftpd-basic_1.3.3d-4_amd64.deb
7ff5cf11bc616004b32fb5ca9753985d 907846 net optional
proftpd-dev_1.3.3d-4_amd64.deb
59a4a37797e9bac1f77894618f3fb240 362694 net optional
proftpd-mod-mysql_1.3.3d-4_amd64.deb
0397df8c3050866d7d0b89864443961f 362384 net optional
proftpd-mod-pgsql_1.3.3d-4_amd64.deb
e349a23d88509ebc7afa06931be2e800 372296 net optional
proftpd-mod-ldap_1.3.3d-4_amd64.deb
fa9b106b309fce043c71f9014994fd42 364076 net optional
proftpd-mod-odbc_1.3.3d-4_amd64.deb
1ff062807195868500562259e92f3fae 361846 net optional
proftpd-mod-sqlite_1.3.3d-4_amd64.deb
f766f5570c6e27598c6edeb2b914a6b7 1525564 doc optional
proftpd-doc_1.3.3d-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk1wot8ACgkQpFNRmenyx0e0LQCg3wxnLZXSQdwTUbXIDJoNWaeH
cZ4AoIgrZUt5npCAL+Od4SoCkc+E0Coo
=zRgY
-----END PGP SIGNATURE-----
--- End Message ---
