Bug#993173: proftpd-basic: mod_radius leaks memory contents to radius server
Chris Hofstaedtler
zeha at debian.org
Sat Aug 28 12:31:47 BST 2021
Package: proftpd-basic
Version: 1.3.6-4+deb10u5
Severity: normal
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Hi,
it has been found that proftpd's mod_radius leaks uninitialised memory
to the RADIUS server, as part of the encrypted User-Password.
Upstream report: https://github.com/proftpd/proftpd/issues/1284
Patch: https://github.com/proftpd/proftpd/pull/1285/files
Upstream fixed this in HEAD and version 1.3.7c.
Please consider applying the patch to buster and bullseye. If need be I
can also look into supplying updated (source) packages.
Thanks.
Chris
More information about the Pkg-proftpd-maintainers
mailing list