proftpd DSA
Hilmar Preuße
hille42 at web.de
Thu Dec 5 17:49:34 GMT 2024
Uploaded.
Hilmar
05.12.2024 18:29:40 Moritz Mühlenhoff <jmm at inutil.org>:
> On Thu, Dec 05, 2024 at 02:57:36PM +0100, Preuße, Hilmar wrote:
>
>> I've done so
>> and created Bug#1088843 to request acceptance. That is how I've done it for
>> "Terrapine" too. Not sure if that was correct.
>
> For terrapin/proftpd the impact was really low indeed.
>
>> The CVE made it into the news e.g. [1], the NIST itself says currently:
>> "This vulnerability is currently awaiting analysis."
>>
>> As far as I understand it is possible to harden an proftp server by changing
>> the configuration, but it can be time consuming and the default
>> configuration is vulnerable.
>>
>> What criterias do you use to decide if an DSA is needed?
>
> There are no written down hard criteria, it's a mix of many factors (how common
> a software/configuration is, the impact or complexity to exploit.
>
> With this I'd lean towards erring on the safe side and do a DSA even though mod_sql
> might be a rare setup. So could you please upload the change done for stable-proposed-updates
> (but with the target distro changed to bookworm-security) to security-master?
>
> it needs to be built with -sa since this is the first security upload for proftpd
> and ftp.d.o and security.d.o don't share tarballs.
>
> We can close the SPU tracking bug when then DSA has been released.
>
> Cheers,
> Moritz
>
> _______________________________________________
> Pkg-proftpd-maintainers mailing list
> Pkg-proftpd-maintainers at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-proftpd-maintainers
More information about the Pkg-proftpd-maintainers
mailing list