Bug#516388: marked as done (proftpd: Several SQL injection vulnerabilities)

Tue, 24 Feb 2009 03:31:12 -0800 

Your message dated Tue, 24 Feb 2009 12:26:54 +0100
with message-id <20090224112653.gc9...@mithrandir>
and subject line Re: Bug#516388: proftpd: Several SQL injection vulnerabilities
has caused the Debian Bug report #516388,
regarding proftpd: Several SQL injection vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
516388: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516388
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: proftpd
Severity: grave
Tags: security
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for proftpd.

CVE-2009-0543[0]:
| ProFTPD Server 1.3.1, with NLS support enabled, allows remote
| attackers to bypass SQL injection protection mechanisms via invalid,
| encoded multibyte characters, which are not properly handled in (1)
| mod_sql_mysql and (2) mod_sql_postgres.

CVE-2009-0542[1]:
| SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2
| allows remote attackers to execute arbitrary SQL commands via a "%"
| (percent) character in the username, which introduces a "'" (single
| quote) character during variable substitution by mod_sql.

The postgresql part should still be vulnerable as discussed via
previous mail. The second issue seems to be still unaddressed. It needs
to be investigated, whether upstream's fix is complete, since it doesn't
seem to use the usual escaping functions.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0543
    http://security-tracker.debian.net/tracker/CVE-2009-0543
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0542
    http://security-tracker.debian.net/tracker/CVE-2009-0542

--- End Message ---
--- Begin Message --- 
Package: proftpd-dfsg
Version: 1.3.2-1

Note that 1.3.1-17 also partially fixes CVE-2009-0543. That bug
does not apply to 1.3.0. Next time would be better reporting
separately each issue.

-- 
Francesco P. Lovergine

--- End Message ---

Reply via email to