proftpd DoS / CVE-2019-18217

Moritz Mühlenhoff jmm at inutil.org
Thu Oct 24 19:25:35 BST 2019


On Thu, Oct 24, 2019 at 06:30:07PM +0200, Hilmar Preuße wrote:
> Am 21.10.2019 um 15:27 teilte Moritz Muehlenhoff mit:
> 
> Hi Moritz,
> 
> > https://github.com/proftpd/proftpd/issues/846 got assigned CVE-2019-18217 and sounds like
> > something we should release a DSA for.
> >
> > The upstream fix is https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4,
> > could you prepare updated packages for stretch-security and buster-security?
> >
> Attached is a debdiff für stretch and buster. I built new packages based
> on these diff's and gave them a few tests (install, run, connect, up-
> and downloading files). Unfortunately I can't really test if that patch
> really solves the issue. However as it not really differs from the
> upstream patch I guess it does.

Thanks! 

> Do you want me to provide the source packages?

I'll review the debdiffs later today or tomorrow and will take care of
the builds/upload, thanks!

Cheers,
        Moritz



More information about the Pkg-proftpd-maintainers mailing list