[Bug 997113] Re: Ubuntu 8.04.4 LTS - Proftpd SQL exploit

Marc Deslauriers marc.deslauriers at canonical.com
Mon May 14 15:31:13 UTC 2012 

Oh, sorry about that, I had misread that as 10.04 for some reason.

Since proftpd-dfsg is in universe, it is community maintained. If you
are able, I suggest posting a debdiff for this issue. When a debdiff is
available, members of the security team will review it and publish the
package. See the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Although we don't track universe packages for 8.04 in our CVE tracker
any longer, if a debdiff is submitted, we will sponsor it and get it
uploaded to 8.04.


** Changed in: proftpd-dfsg (Ubuntu)
       Status: Invalid => Confirmed

** Also affects: proftpd-dfsg (Ubuntu Hardy)
   Importance: Undecided
       Status: New

** Changed in: proftpd-dfsg (Ubuntu Hardy)
       Status: New => Confirmed

** Changed in: proftpd-dfsg (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of ProFTPD
Maintainance Team, which is subscribed to proftpd-dfsg in Ubuntu.
https://bugs.launchpad.net/bugs/997113

Title:
  Ubuntu 8.04.4 LTS - Proftpd SQL exploit

Status in “proftpd-dfsg” package in Ubuntu:
  Fix Released
Status in “proftpd-dfsg” source package in Hardy:
  Confirmed

Bug description:
  Proftpd version 1.3.1-6ubuntu1 exploit:

  The variable substitution feature in the version of ProFTPD running on
  the remote host can be abused to conduct a SQL injection attack. For
  example, a remote attacker can bypass authentication using a specially
  crafted username containing a percent sign character ('%'), a single
  quote, and SQL code.

  http://www.securityfocus.com/archive/1/500823/30/0/threaded

  http://bugs.proftpd.org/show_bug.cgi?id=3124
  
http://bugs.proftpd.org/show_bug.cgi?id=3180

  http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2rc3
http://www.proftpd.org/docs/NEWS-1.3.2rc3
  
http://comments.gmane.org/gmane.comp.security.oss.general/1489

  Solution: Upgrade to ProFTPD 1.3.2rc3 or later.

  Could this be fixed in Ubuntu 8.04.4 LTS?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/997113/+subscriptions

More information about the Pkg-proftpd-maintainers mailing list