Bug#923926: proftpd has memory leaks, allows Denial-Of-Service attack

Francesco P. Lovergine frankie at debian.org
Fri Apr 5 12:56:06 BST 2019


On Fri, Apr 05, 2019 at 01:46:23PM +0200, Markus Koschany wrote:
>Hi,
>
>Am 29.03.19 um 16:44 schrieb Francesco P. Lovergine:
>> On Thu, Mar 28, 2019 at 01:49:51PM +0100, Markus Koschany wrote:
>>> Hello Francesco,
>>>
>>> I intend to upgrade proftpd in Jessie to fix the memory leaks and
>>> another unrelated issue. I think it would be best to backport the
>>> version in testing. If you agree, I could also update proftpd in stable.
>>> Please let me know if I can proceed.
>>>
>>
>> A conservative approach would be using latest 1.3.5 version, instead of
>> 1.3.6.
>
>I have backported version 1.3.5e to Stretch. I don't have access to the
>Git repository but I have uploaded the new package to people.debian.org.
>
>https://people.debian.org/~apo/proftpd/
>
>where you can grab the sources. There were at least three different
>memory leak issues that were fixed. Two of them are related to the
>mod_sftp module and this bug report, another one was in mod_facl. I
>intend to contact the release team next week for a stretch-pu.
>
>Regards,
>
>Markus
>

That should be definitively the easiest solutions. Of course 1.3.5e does not 
strictly fix only those three leaks, so that update could be non acceptable 
for a secteam upload.

-- 
Francesco P. Lovergine



More information about the Pkg-proftpd-maintainers mailing list