Package: proftpd-basic Version: 1.3.4a-2+b1 Severity: normal See upstream bug <http://bugs.proftpd.org/show_bug.cgi?id=3839>, which also includes a patch.
Proftpd doesn't drop root privileges completely, so if an attacker is capable of performing a remote code execution attack on proftpd, he can probably gain full access to the system although proftpd tries to prevent this by dropping privileges. The upstream patch not only fixes the issue but also adds a new configuration option - merely fixing the issue would take ~5 lines of code. TJ Saunders classified this as an enhancement, not a bugfix, but I think that it is worth backporting regardless of that. -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.6.7 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages proftpd-basic depends on: ii adduser 3.113+nmu3 ii debconf 1.5.49 ii debianutils 4.3.2 ii libacl1 2.2.51-8 ii libc6 2.13-37 ii libcap2 1:2.22-1.2 ii libncurses5 5.9-10 ii libpam-runtime 1.1.3-7.1 ii libpam0g 1.1.3-7.1 ii libpcre3 1:8.30-5 ii libssl1.0.0 1.0.1c-4 ii libtinfo5 5.9-10 ii libwrap0 7.6.q-24 ii netbase 5.0 ii sed 4.2.1-10 ii ucf 3.0025+nmu3 ii update-inetd 4.43 ii zlib1g 1:1.2.7.dfsg-13 proftpd-basic recommends no packages. Versions of packages proftpd-basic suggests: ii openbsd-inetd [inet-superserver] 0.20091229-2 ii openssl 1.0.1c-4 pn proftpd-doc <none> pn proftpd-mod-ldap <none> pn proftpd-mod-mysql <none> pn proftpd-mod-odbc <none> pn proftpd-mod-pgsql <none> pn proftpd-mod-sqlite <none> -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
