[Bug 997113]
Jamie Strandboge
jamie at ubuntu.com
Tue May 21 15:48:22 UTC 2013
Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against hardy is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.
Please feel free to report any other bugs you may find.
** Changed in: proftpd-dfsg (Ubuntu Hardy)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of ProFTPD
Maintainance Team, which is subscribed to proftpd-dfsg in Ubuntu.
https://bugs.launchpad.net/bugs/997113
Title:
Ubuntu 8.04.4 LTS - Proftpd SQL exploit
Status in “proftpd-dfsg” package in Ubuntu:
Fix Released
Status in “proftpd-dfsg” source package in Hardy:
Won't Fix
Bug description:
Proftpd version 1.3.1-6ubuntu1 exploit:
The variable substitution feature in the version of ProFTPD running on
the remote host can be abused to conduct a SQL injection attack. For
example, a remote attacker can bypass authentication using a specially
crafted username containing a percent sign character ('%'), a single
quote, and SQL code.
http://www.securityfocus.com/archive/1/500823/30/0/threaded
http://bugs.proftpd.org/show_bug.cgi?id=3124
http://bugs.proftpd.org/show_bug.cgi?id=3180
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2rc3
http://www.proftpd.org/docs/NEWS-1.3.2rc3
http://comments.gmane.org/gmane.comp.security.oss.general/1489
Solution: Upgrade to ProFTPD 1.3.2rc3 or later.
Could this be fixed in Ubuntu 8.04.4 LTS?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/997113/+subscriptions
More information about the Pkg-proftpd-maintainers
mailing list