Package: proftpd-basic Version: 1.3.6-4+deb10u5 Severity: normal Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hi, it has been found that proftpd's mod_radius leaks uninitialised memory to the RADIUS server, as part of the encrypted User-Password. Upstream report: https://github.com/proftpd/proftpd/issues/1284 Patch: https://github.com/proftpd/proftpd/pull/1285/files Upstream fixed this in HEAD and version 1.3.7c. Please consider applying the patch to buster and bullseye. If need be I can also look into supplying updated (source) packages. Thanks. Chris
