Bug#993173: proftpd-basic: mod_radius leaks memory contents to radius server

Chris Hofstaedtler zeha at debian.org
Sat Aug 28 12:31:47 BST 2021


Package: proftpd-basic
Version: 1.3.6-4+deb10u5
Severity: normal
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

Hi,

it has been found that proftpd's mod_radius leaks uninitialised memory
to the RADIUS server, as part of the encrypted User-Password.

Upstream report: https://github.com/proftpd/proftpd/issues/1284
Patch: https://github.com/proftpd/proftpd/pull/1285/files

Upstream fixed this in HEAD and version 1.3.7c.

Please consider applying the patch to buster and bullseye. If need be I
can also look into supplying updated (source) packages.

Thanks.
Chris



More information about the Pkg-proftpd-maintainers mailing list