Bug#993173: proftpd-basic: mod_radius leaks memory contents to radius server
Chris Hofstaedtler
chris at hofstaedtler.name
Thu Sep 2 09:11:29 BST 2021
Hello,
* Hilmar Preuße <hille42 at web.de> [210901 08:28]:
> Am 28.08.2021 um 13:31 teilte Chris Hofstaedtler mit:
> > it has been found that proftpd's mod_radius leaks uninitialised memory
> > to the RADIUS server, as part of the encrypted User-Password.
> >
> > Upstream report: https://github.com/proftpd/proftpd/issues/1284
> > Patch: https://github.com/proftpd/proftpd/pull/1285/files
> >
> > Upstream fixed this in HEAD and version 1.3.7c.
> >
> > Please consider applying the patch to buster and bullseye. If need be I
> > can also look into supplying updated (source) packages.
> >
> I've pushed the patch to stable and oldstable branch. Further I've packaged
> the 1.3.7c for unstable and would upload soon.
Thanks a lot!
> - Do we need to have the fix in all 3 distributions?
> - Are you willing to test the fix before I upload?
I can easily test on oldstable (=buster), but not on bullseye.
Chris
(Also, I'll be away most of the remaining September weeks, so I
could only do that relatively soon.)
More information about the Pkg-proftpd-maintainers
mailing list