Francesco P. Lovergine wrote: > On Fri, Jan 04, 2008 at 07:13:54PM +0100, Luk Claes wrote: >>>> CVE-2007-2165[0]: >>>> | The Auth API in ProFTPD before 20070417, when multiple simultaneous >>>> | authentication modules are configured, does not require that the >>>> | module that checks authentication is the same as the module that >>>> | retrieves authentication data, which might allow remote attackers to >>>> | bypass authentication, as demonstrated by use of SQLAuthTypes >>>> | Plaintext in mod_sql, with data retrieved from /etc/passwd. >>>> >>>> > > [...] > >>> Yes, indeed I pointed that months ago to secteam without so much >>> interest due to the nature of the issue I think. I can prepare >>> a new version for a point release anyway starting from 1.2.10-22, >>> and limiting the changes to a specific patch. Maybe I should have >>> a sec update of the time somewhere, too... >> Please send a diff. Thanks already. >> >> Cheers >> >> Luk >> >> > > Here you are.
Please upload. Cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
