Bug#697524: proftpd-basic: Apply upstream bugfix for upstream bug #3841 – Possible symlink race when applying UserOwner

Sun Jan 6 15:19:13 UTC 2013

Package: proftpd-basic
Version: 1.3.4a-2+b1
Severity: normal
Tags: security

There's a symlink race that could lead to root access in some configurations. See here:
http://bugs.proftpd.org/show_bug.cgi?id=3841

There's an upstream bugfix, so that should probably be backported.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.6.7 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages proftpd-basic depends on:
ii  adduser         3.113+nmu3
ii  debconf         1.5.49
ii  debianutils     4.3.2
ii  libacl1         2.2.51-8
ii  libc6           2.13-37
ii  libcap2         1:2.22-1.2
ii  libncurses5     5.9-10
ii  libpam-runtime  1.1.3-7.1
ii  libpam0g        1.1.3-7.1
ii  libpcre3        1:8.30-5
ii  libssl1.0.0     1.0.1c-4
ii  libtinfo5       5.9-10
ii  libwrap0        7.6.q-24
ii  netbase         5.0
ii  sed             4.2.1-10
ii  ucf             3.0025+nmu3
ii  update-inetd    4.43
ii  zlib1g          1:1.2.7.dfsg-13

proftpd-basic recommends no packages.

Versions of packages proftpd-basic suggests:
ii  openbsd-inetd [inet-superserver]  0.20091229-2
ii  openssl                           1.0.1c-4
pn  proftpd-doc                       <none>
pn  proftpd-mod-ldap                  <none>
pn  proftpd-mod-mysql                 <none>
pn  proftpd-mod-odbc                  <none>
pn  proftpd-mod-pgsql                 <none>
pn  proftpd-mod-sqlite                <none>

-- debconf information excluded