Bug#500278: marked as done (ftpd: command line split (CSRF))

[Debian Bug Tracking System]

Your message dated Fri, 17 Oct 2008 19:02:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#500278: fixed in linux-ftpd 0.17-29
has caused the Debian Bug report #500278,
regarding ftpd: command line split (CSRF)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
500278: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500278
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: ftpd
Version: 0.17-23
Severity: normal


Similar to recent OpenBSD changes:
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpcmd.y
this Debian package seems vulnerable to the same issue
(and I expect the solution here to be the same).

See also:
multiple vendor ftpd - Cross-site request forgery
http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064697.html

(My setting of severity on this bug is probably alarmist...)

Cheers,

Paul Szabo   [EMAIL PROTECTED]   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-pk02.19-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages ftpd depends on:
ii  libc6                  2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii  libpam-modules         0.79-5            Pluggable Authentication Modules f
ii  libpam0g               0.79-5            Pluggable Authentication Modules l
ii  netbase                4.29              Basic TCP/IP networking system

ftpd recommends no packages.

-- debconf information:
* ftpd/globattack:

--- End Message ---

--- Begin Message ---

Source: linux-ftpd
Source-Version: 0.17-29

We believe that the bug you reported is fixed in the latest version of
linux-ftpd, which is due to be installed in the Debian FTP archive:

ftpd_0.17-29_i386.deb
  to pool/main/l/linux-ftpd/ftpd_0.17-29_i386.deb
linux-ftpd_0.17-29.diff.gz
  to pool/main/l/linux-ftpd/linux-ftpd_0.17-29.diff.gz
linux-ftpd_0.17-29.dsc
  to pool/main/l/linux-ftpd/linux-ftpd_0.17-29.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> (supplier of updated linux-ftpd 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 17 Oct 2008 20:34:17 +0200
Source: linux-ftpd
Binary: ftpd
Architecture: source i386
Version: 0.17-29
Distribution: unstable
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Changed-By: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Description: 
 ftpd       - File Transfer Protocol (FTP) server
Closes: 493433 500278
Changes: 
 linux-ftpd (0.17-29) unstable; urgency=high
 .
   * Ian Beckwith:
     - Patch to fix cross-site request forgery (CSRF) attacks.
       CVE-2008-4247 (Closes: #500278)
   * Updated package description. (Closes: #493433)
Checksums-Sha1: 
 602b955a2269dab421fe1136f8042022565842a9 1006 linux-ftpd_0.17-29.dsc
 17a94fa3307cd6ad3c1a60ca7e295cdca91f0196 17754 linux-ftpd_0.17-29.diff.gz
 fa338494542ea14250a05e4d660650c97bf43868 43566 ftpd_0.17-29_i386.deb
Checksums-Sha256: 
 b2a658c51f5b1d77279c04f27897a952d73e68e91904ca97a80e4e006de2fe33 1006 
linux-ftpd_0.17-29.dsc
 d5acace5666ae0b3f3a1ce2e256d8d68d6ec6edacc4af28b0a52fc98e24deecd 17754 
linux-ftpd_0.17-29.diff.gz
 b4abcf1db8b20bab7c0545946098871c8b22bfa69fa5270f1ac21f9bac2402b8 43566 
ftpd_0.17-29_i386.deb
Files: 
 0e8a0a5d0a2671b9afc8694a2aa81fab 1006 net extra linux-ftpd_0.17-29.dsc
 b65ab41af52b55f3e28fbbfc69594d12 17754 net extra linux-ftpd_0.17-29.diff.gz
 cdec41b0bfe8d3b6e25d997e7e349554 43566 net extra ftpd_0.17-29_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkj43lgACgkQxRSvjkukAcOyoQCgh4U3nR4raG5Of5gFgi3wJK6Y
YtwAoKeFjcFuAUh1HCQ5J683gDVGLj6w
=VUEU
-----END PGP SIGNATURE-----

--- End Message ---