proftpd DSA
Moritz Mühlenhoff
jmm at inutil.org
Thu Dec 5 17:14:08 GMT 2024
On Thu, Dec 05, 2024 at 02:57:36PM +0100, Preuße, Hilmar wrote:
> I've done so
> and created Bug#1088843 to request acceptance. That is how I've done it for
> "Terrapine" too. Not sure if that was correct.
For terrapin/proftpd the impact was really low indeed.
> The CVE made it into the news e.g. [1], the NIST itself says currently:
> "This vulnerability is currently awaiting analysis."
>
> As far as I understand it is possible to harden an proftp server by changing
> the configuration, but it can be time consuming and the default
> configuration is vulnerable.
>
> What criterias do you use to decide if an DSA is needed?
There are no written down hard criteria, it's a mix of many factors (how common
a software/configuration is, the impact or complexity to exploit.
With this I'd lean towards erring on the safe side and do a DSA even though mod_sql
might be a rare setup. So could you please upload the change done for stable-proposed-updates
(but with the target distro changed to bookworm-security) to security-master?
it needs to be built with -sa since this is the first security upload for proftpd
and ftp.d.o and security.d.o don't share tarballs.
We can close the SPU tracking bug when then DSA has been released.
Cheers,
Moritz
More information about the Pkg-proftpd-maintainers
mailing list