ProFTPD in Hardy vulnerable to CVE-2008-4242

Thanks for filing a bug with Ubuntu. proftpd-dfsg is in universe and
is community maintained. If you are able, I suggest posting a debdiff that fixes this issue.

See: https://wiki.ubuntu.com/SecurityUpdateProcedures for more information.

I'd love to see a fix for this. We're running several servers on 8.04 LTS, and this bug is keeping us from getting PCI Compliance. This bug is a PCI Level 2 (Medium) vulnerability. Its been around for a little while, so maybe a fix soon? If not, we'll have to abandon Ubuntu for something with more timely security fixes.

CVE: CVE-2008-4242
NVD: CVE-2008-4242
Bugtraq: 31289
Reference: http://bugs.proftpd.org/show_bug.cgi?id=3115
CVSSv2: AV:N/AC:M/Au:N/C:P/I:P/A:P (Base Score:6.80)

Closing per note in our CVE tracker. If this is incorrect, please reopen:

 stefanlsd> After discussion with Francesco Paolo Lovergine <email address hidden>
   we concluded that this bug does not affect the Debian or Ubuntu versions of
   proftpd 1.3.1 or earlier. We believe the problems that this CVE affects were only
   introduced in the proftpd 1.3.2rc series. The exploit as found in the Bugs section
   was independently tested and shown to not apply.

I have just confirmed this bug using the command from the Debian Bug linked in this report.

perl -e 'print "A"x1022,"QUIT\n"' | nc localhost 21

I checked this against a fully updated Hardy Heron 8.04 LTS system running ProFTPd 1.3.1-6ubuntu1.

If the command above prints out "Goodbye", then the version of ProFTPd is vulnerable.

Additional note:

Tested against my 9.04 install which has proftpd-1.3.1-17ubuntu1 and the vulnerability is fixed there.

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.