severity 609703 normal thanks On Tue, Jan 11, 2011 at 07:18:23PM +0100, Sebastian Scheible wrote: > Package: proftpd-basic > Version: 1.3.1-17lenny4 > Severity: critical > Tags: security > Justification: root security hole > > As described in > http://www.h-online.com/open/news/item/Phrack-hole-closed-in-ProFTPD-1156782.html > > upstream version 1.3.3d fixes a remote root exploit in > previous versions (proftpd bug Bug#3536). Quote: "A buffer overflow in > the function sql_prepare_where() allows attackers to remotely execute > arbitrary code on the server." >
Also note that in order to exploit the sql_prepare_where() bug, you need an unfixed CVE-2009-0542, which is fixed since ages in Lenny. So the gravity of this problem is greatly reduced. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
