Bug#648373: [CVE-2011-4130] Use-after-free issue
Francesco P. Lovergine
frankie at debian.org
Fri Nov 11 23:18:16 UTC 2011
On Fri, Nov 11, 2011 at 07:56:02PM +0100, Florian Weimer wrote:
> * Francesco P. Lovergine:
>
> >> A use-after-free issue has been discovered in ProFTPd:
> >>
> >> <http://bugs.proftpd.org/show_bug.cgi?id=3711>
> >>
> >> It seems that squeeze is vulnerable, too. I haven't checked the code
> >> in lenny yet.
>
> > I have 1.3.3a-6squeeze3 ready for squeeze with the required fix.
> > Waiting for a secteam go signal, just in case.
>
> Thanks. I trust that the call is at the right place, I find the code
> somewhat confusing.
>
> Please upload with the usual caveats (1.3.3a-6squeeze2 as version
> number, squeeze-security suite, host security-master).
About lenny, it appears the 1.3.1 version still had not the feature
of dispatching control commands while data transfers are going on.
So the whole pool mechanism is not operational and the issue does not
apply at all.
--
Francesco P. Lovergine
More information about the Pkg-proftpd-maintainers
mailing list