CVE-2023-48795 proftp* & Debian stable
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 23 12:51:46 GMT 2023
Hi Hilmar
On Sat, Dec 23, 2023 at 01:03:45AM +0100, Preuße, Hilmar wrote:
> Dear Moritz, dear Salvatore,
>
> sorry for contacting you directly.
>
> I've fixed CVE-2023-48795 for proftp in Debian unstable. As soon as
> "#1059179: transition: proftpd-dfsg" is addressed, the fix will enter
> testing.
>
> Now about bookworm: I've added the patch to the appropriate branches on
> salsa and can at least confirm that package building still works using an
> sbuilder and upstreams test suite runs fine for proftp (core). For
> proftpd-mod-proxy package building works on sbuild.
>
> Unfortunately I don't use proftp extensively and the proxy module not at
> all. Hence I can't really say if the patch brings in regressions. Should I
> nevertheless push the patch to Debian stable? If yes, I'd need a pointer how
> this needs to be done.
I will try to have a look in the next days, maybe this afternoon. Both
issues were already marked as no-dsa, but one question is if a
connection security downgrade is possible.
Will come back to you.
Speaking of pushing a patch to stable: Thus I won't press it too much
and take a slow approach rather.
Regards,
Salvatore
More information about the Pkg-proftpd-maintainers
mailing list