On 2/22/20 5:52 PM, Salvatore Bonaccorso wrote: > On Fri, Feb 21, 2020 at 10:07:42PM +0100, Hilmar Preusse wrote:
Hi Salvatore, >> Package: proftpd-basic >> Version: 1.3.6-4+deb10u3 >> Severity: important >> Tags: upstream >> >> This is to track CVE-2020-9273. >> >> I'm not 100% sure if jessie is affected too. At least the >> CVE does not report it. > > While beeing here at snowcamp I worked on updating for this CVE, > attached is the result for buster which is only applying basically > unchanged the upstream commit. > The fix for this issue (+ patch for two other issues) is already in the buster branch on salsa. I planned to upload that ASAP. Not sure if it will still happen this week. > Will try to do next the stretch-security one. But if you have an > idea how to reach the reporter please let me/us know. > Yes, that would be great. The patch for 1.3.6 does not apply cleanly to the 1.3.5b from Debian stretch. Thanks, Hilmar -- sigfault #206401 http://counter.li.org
signature.asc
Description: OpenPGP digital signature
