remote code execution in ProFTPD
Bug #73603 reported by
magilus
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Dapper Backports |
Invalid
|
Critical
|
Unassigned | ||
| Edgy Backports |
Invalid
|
Undecided
|
Unassigned | ||
| linux-ftpd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
| proftpd-dfsg (Debian) |
Fix Released
|
Unknown
|
|||
| proftpd-dfsg (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Dapper |
Fix Released
|
Undecided
|
Unassigned | ||
| Edgy |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
On 6 November 2006, Evgeny Legerov <email address hidden> posted to BUGTRAQ[1],
announcing his commercial VulnDisco Pack for Metasploit 2.7[2]. One of the
included exploits, vd_proftpd.pm, takes advantage of an off-by-one string
manipulation flaw in ProFTPD's sreplace() function to allow a remote
attacker to execute arbitrary code.
[...]
Full description and patch is available at
CVE References
Revision history for this message
| Kees Cook (kees) wrote | #1 |
| Changed in proftpd: | |
| status: | Unconfirmed → Confirmed |
| Changed in edgy-backports: | |
| status: | Unconfirmed → Rejected |
Revision history for this message
| John Dong (jdong) wrote | #2 |
| Changed in dapper-backports: | |
| importance: | Undecided → Critical |
| Changed in proftpd-dfsg: | |
| status: | Unconfirmed → Fix Released |
| Changed in dapper-backports: | |
| status: | Unconfirmed → Rejected |
Revision history for this message
| Brandon Holtsclaw (imbrandon) wrote | #3 |
| Changed in proftpd-dfsg: | |
| status: | Fix Released → Fix Committed |
| Changed in proftpd: | |
| status: | Unconfirmed → Rejected |
| Changed in proftpd-dfsg: | |
| status: | Unknown → Fix Released |
| Changed in proftpd-dfsg: | |
| status: | Unconfirmed → Fix Released |
| status: | Fix Committed → Fix Released |
Revision history for this message
| Daniel T Chen (crimsun) wrote | #4 |
| Changed in proftpd-dfsg: | |
| status: | Confirmed → Fix Released |
To post a comment you must log in.
This package is in universe, so if someone can prepare a tested debdiff for the released Ubuntu versions, I'd be happy to upload it into the Ubuntu security repository.