Your message dated Fri, 18 Nov 2011 01:57:38 +0000
with message-id <e1rrdhy-0003ko...@franck.debian.org>
and subject line Bug#648373: fixed in proftpd-dfsg 1.3.3a-6squeeze4
has caused the Debian Bug report #648373,
regarding [CVE-2011-4130] Use-after-free issue
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
648373: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648373
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: proftpd-dfsg
Version: 1.3.3a-6squeeze1
Severity: grave
Tags: security
A use-after-free issue has been discovered in ProFTPd:
<http://bugs.proftpd.org/show_bug.cgi?id=3711>
It seems that squeeze is vulnerable, too. I haven't checked the code
in lenny yet.
--- End Message ---
--- Begin Message ---
Source: proftpd-dfsg
Source-Version: 1.3.3a-6squeeze4
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive:
proftpd-basic_1.3.3a-6squeeze4_amd64.deb
to main/p/proftpd-dfsg/proftpd-basic_1.3.3a-6squeeze4_amd64.deb
proftpd-dev_1.3.3a-6squeeze4_amd64.deb
to main/p/proftpd-dfsg/proftpd-dev_1.3.3a-6squeeze4_amd64.deb
proftpd-dfsg_1.3.3a-6squeeze4.diff.gz
to main/p/proftpd-dfsg/proftpd-dfsg_1.3.3a-6squeeze4.diff.gz
proftpd-dfsg_1.3.3a-6squeeze4.dsc
to main/p/proftpd-dfsg/proftpd-dfsg_1.3.3a-6squeeze4.dsc
proftpd-doc_1.3.3a-6squeeze4_all.deb
to main/p/proftpd-dfsg/proftpd-doc_1.3.3a-6squeeze4_all.deb
proftpd-mod-ldap_1.3.3a-6squeeze4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.3a-6squeeze4_amd64.deb
proftpd-mod-mysql_1.3.3a-6squeeze4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.3a-6squeeze4_amd64.deb
proftpd-mod-odbc_1.3.3a-6squeeze4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-odbc_1.3.3a-6squeeze4_amd64.deb
proftpd-mod-pgsql_1.3.3a-6squeeze4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.3a-6squeeze4_amd64.deb
proftpd-mod-sqlite_1.3.3a-6squeeze4_amd64.deb
to main/p/proftpd-dfsg/proftpd-mod-sqlite_1.3.3a-6squeeze4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 648...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <fran...@debian.org> (supplier of updated
proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 13 Nov 2011 23:17:40 +0100
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql
proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite
Architecture: source amd64 all
Version: 1.3.3a-6squeeze4
Distribution: stable-security
Urgency: low
Maintainer: Francesco Paolo Lovergine <fran...@debian.org>
Changed-By: Francesco Paolo Lovergine <fran...@debian.org>
Description:
proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 648373
Changes:
proftpd-dfsg (1.3.3a-6squeeze4) stable-security; urgency=low
.
* [SECURITY] 3711.dpatch. This patch fixes a response pool use-after-free
memory corruption error. This is CVE-2011-4130.
(closes: #648373)
* [SECURITY] 3624.dpatch This patch fixes the issue by causing mod_tls to
clear the buffers of any data received from the client, once the SSL/TLS
handshake has succeded. This is similar to CVE-2011-0411.
Checksums-Sha1:
ec267578b10cf9d6bc8a4530475e843dfd95944a 1426 proftpd-dfsg_1.3.3a-6squeeze4.dsc
77fc5a4f580ef1058ff65efd3cdc70e1253259ee 108182
proftpd-dfsg_1.3.3a-6squeeze4.diff.gz
2bb34561a039215ea11cff34ee3268dc12f4314d 2404094
proftpd-basic_1.3.3a-6squeeze4_amd64.deb
639d175827dd98d8f9d948f5bc36eee3eef3ade6 889434
proftpd-dev_1.3.3a-6squeeze4_amd64.deb
24c56111e8f630e591fe989801fb2718dfcecb26 346766
proftpd-mod-mysql_1.3.3a-6squeeze4_amd64.deb
b04e399315ed46aa1c56e66358f9e0748812441d 346460
proftpd-mod-pgsql_1.3.3a-6squeeze4_amd64.deb
6ff8aa6b9835f601cbea97306c91cd2c79f0b0f2 356368
proftpd-mod-ldap_1.3.3a-6squeeze4_amd64.deb
0aafd36b9de917652d76f505db548abff97b73df 348098
proftpd-mod-odbc_1.3.3a-6squeeze4_amd64.deb
f6d9f188145de28b19047de0f2eb97a8fea33aef 345812
proftpd-mod-sqlite_1.3.3a-6squeeze4_amd64.deb
f562db641c3b62d78607c12c8d02246a79453706 1508134
proftpd-doc_1.3.3a-6squeeze4_all.deb
Checksums-Sha256:
78b1d27e6e274a62bf7991ad97563026ebb34b563059fce886e6ed799a963d7e 1426
proftpd-dfsg_1.3.3a-6squeeze4.dsc
719326db8ac471e1caf1c534aeb5d5da5baa323659582270ac7f1074fc89ed88 108182
proftpd-dfsg_1.3.3a-6squeeze4.diff.gz
6d3193773f15687e79596e7fdc77b20b6f1258688a0682f2d1438eb1c35354e5 2404094
proftpd-basic_1.3.3a-6squeeze4_amd64.deb
fb43302e6c0c4e5f0467e022e74e2cdc229eb39dbe2a36b52fadaac0d3679121 889434
proftpd-dev_1.3.3a-6squeeze4_amd64.deb
0723b60e23e906fe3d20a1926425bf1d364ba333638835710e2d5a808cd08061 346766
proftpd-mod-mysql_1.3.3a-6squeeze4_amd64.deb
699b78ffef8989c09328fee992d1d8b298f18099d61674aafc535f17ab17fcef 346460
proftpd-mod-pgsql_1.3.3a-6squeeze4_amd64.deb
f18db91364fb224c57845453b68595f230cf0687c2b26fe08a2cfc394ebd36cc 356368
proftpd-mod-ldap_1.3.3a-6squeeze4_amd64.deb
1b28312578e66c47f8c1d23a0d271384ccfb09457f9677886d8f43a503ae6995 348098
proftpd-mod-odbc_1.3.3a-6squeeze4_amd64.deb
a5edfc13235c1ce1f853501302a527962584306855426d4a4d39cf9132f20c9a 345812
proftpd-mod-sqlite_1.3.3a-6squeeze4_amd64.deb
ee95291ecd3f141f06b57e68f0a358b96b8990be376c92f28aa7aeddc157fdae 1508134
proftpd-doc_1.3.3a-6squeeze4_all.deb
Files:
9413b160e117caf0ce596be1097318aa 1426 net optional
proftpd-dfsg_1.3.3a-6squeeze4.dsc
cb160663d3a546eab13b24459899a52e 108182 net optional
proftpd-dfsg_1.3.3a-6squeeze4.diff.gz
585ab2c70be0387a29d049a1d1a57ae1 2404094 net optional
proftpd-basic_1.3.3a-6squeeze4_amd64.deb
dc024acfcd4f39deca0f629808c9aa0a 889434 net optional
proftpd-dev_1.3.3a-6squeeze4_amd64.deb
5b62dcf505d01e55834eea4811cc46eb 346766 net optional
proftpd-mod-mysql_1.3.3a-6squeeze4_amd64.deb
3b9d79f9960f127f1c3d2275b3551547 346460 net optional
proftpd-mod-pgsql_1.3.3a-6squeeze4_amd64.deb
6d9ee226da8c02b88fa0528e582452b4 356368 net optional
proftpd-mod-ldap_1.3.3a-6squeeze4_amd64.deb
c127b01d43516a0f4a719c96d9b88273 348098 net optional
proftpd-mod-odbc_1.3.3a-6squeeze4_amd64.deb
577c0f5d16222bc1889d0ec690d4d05a 345812 net optional
proftpd-mod-sqlite_1.3.3a-6squeeze4_amd64.deb
cb642939f5b69a544fce7057da69a41f 1508134 doc optional
proftpd-doc_1.3.3a-6squeeze4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk7ASFkACgkQpFNRmenyx0e5nQCcCvwNiDQ6jMyjfe/wonrw5nye
LWYAoIZoZiBBPqcC31KroaSvdGHiZNSg
=if7l
-----END PGP SIGNATURE-----
--- End Message ---
