Your message dated Tue, 17 Apr 2007 22:02:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#419255: fixed in proftpd-dfsg 1.3.0-22
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: proftpd-mysql
Version: 1.3.0-19
Severity: grave
This is not really mysql related, but should apply to all proftpd sql
packages. I have the following configuration in my proftpd.conf:
SQLAuthTypes Crypt Plaintext
SQLAuthenticate users* groups*
SQLConnectInfo [EMAIL PROTECTED] syscp MYSQL_PASSWORD
SQLUserInfo ftp_users username password uid gid homedir shell
SQLGroupInfo ftp_groups groupname gid members
SQLUserWhereClause "login_enabled = 'y'"
One should think, a user who is defined in ftp_users should be able to
login with his password (which can be encrypted or not) and a
system-user should also be able to login. The first is perfectly true,
so is the second, BUT: a system-user is also able to login with ! or *
as password. ! or * in /etc/shadow indicates a bad password, so the
user shouldn't be able to login (this is done for the users www-data,
ftp, postfix, etc...) but proftpd seems to ignore that, if SQLAuthTypes
Plaintext is set and allows the user to login with ! or * as password
(whatever is set in /etc/shadow).
IMHO this is a grave security bug, because if someone enables plaintext
for SQL anyone can login with (guessable) system-accounts and do some
sh** :(
--
^^^ | Evgeni -SargentD- Golov ([EMAIL PROTECTED])
d(O_o)b | GPG/PGP-Key-ID: 0xAC15B50C
>-|-< | 0C04 F872 0963 ADC9 AA83 882B 24A0 1418 AC15 B50C
/ \ | http://www.die-welt.net - [EMAIL PROTECTED]
If you had a chance, right now, to go back in time and stop Hitler,
wouldn't you do it? I mean, I personally wouldn't stop him, because I
think he was awesome, but you would right? (Eric Cartman, Make Love,
not Warcraft)
pgpM8KBhI95jq.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: proftpd-dfsg
Source-Version: 1.3.0-22
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive:
proftpd-dfsg_1.3.0-22.diff.gz
to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-22.diff.gz
proftpd-dfsg_1.3.0-22.dsc
to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-22.dsc
proftpd-doc_1.3.0-22_all.deb
to pool/main/p/proftpd-dfsg/proftpd-doc_1.3.0-22_all.deb
proftpd-ldap_1.3.0-22_all.deb
to pool/main/p/proftpd-dfsg/proftpd-ldap_1.3.0-22_all.deb
proftpd-mysql_1.3.0-22_all.deb
to pool/main/p/proftpd-dfsg/proftpd-mysql_1.3.0-22_all.deb
proftpd-pgsql_1.3.0-22_all.deb
to pool/main/p/proftpd-dfsg/proftpd-pgsql_1.3.0-22_all.deb
proftpd_1.3.0-22_i386.deb
to pool/main/p/proftpd-dfsg/proftpd_1.3.0-22_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <[EMAIL PROTECTED]> (supplier of updated proftpd-dfsg
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 17 Apr 2007 10:48:43 +0200
Source: proftpd-dfsg
Binary: proftpd proftpd-mysql proftpd-pgsql proftpd-ldap proftpd-doc
Architecture: source all i386
Version: 1.3.0-22
Distribution: unstable
Urgency: high
Maintainer: Francesco Paolo Lovergine <[EMAIL PROTECTED]>
Changed-By: Francesco Paolo Lovergine <[EMAIL PROTECTED]>
Description:
proftpd - Versatile, virtual-hosting FTP daemon
proftpd-doc - Versatile, virtual-hosting FTP daemon (Documentation)
proftpd-ldap - Versatile, virtual-hosting FTP daemon
proftpd-mysql - Versatile, virtual-hosting FTP daemon
proftpd-pgsql - Versatile, virtual-hosting FTP daemon
Closes: 419255
Changes:
proftpd-dfsg (1.3.0-22) unstable; urgency=high
.
* Added update-inetd dependency.
* Security: added a auth_cache patch to manage stacked auth scheme which can
manage to
introduce unexpected behaviors in some corner cases.
See http://bugs.proftpd.org/show_bug.cgi?id=2922
(closes: #419255)
* Added a auth_loop patch to avoid endless loop in auth modules.
Files:
7cf5d0c166a54e8cb9d7169d526078e7 940 net optional proftpd-dfsg_1.3.0-22.dsc
4435bb21406f561b94ffa99e192020d2 197550 net optional
proftpd-dfsg_1.3.0-22.diff.gz
1a691c0d44678387945400fde82ad58b 799728 net optional proftpd_1.3.0-22_i386.deb
f295bce974ab57726e7fab19c0f7c5a9 493646 doc optional
proftpd-doc_1.3.0-22_all.deb
326249d8c9722add4e74b6e7b929f59b 162964 net optional
proftpd-mysql_1.3.0-22_all.deb
379695a4501c132334058188263da135 162968 net optional
proftpd-pgsql_1.3.0-22_all.deb
9ba78ccf76f98b49a29821612d7a00f1 162958 net optional
proftpd-ldap_1.3.0-22_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGJUEQpFNRmenyx0cRAsDdAKCoZADZv0xNUtZ9oWfAXcYntxWmIwCdHOmA
jY5TvHJRzWoTNGGVgBUZKxo=
=AIRy
-----END PGP SIGNATURE-----
--- End Message ---
