Bug#365464: proftpd: net ACLs are buggy

severity 365464 important tags 365464 - security thanks This is more a configuration issue than a true bug. A proper configured system (i.e. full 128bits CIDR) has no problem at all. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Troub

Processed: Re: Bug#365464: proftpd: net ACLs are buggy

Processing commands for [EMAIL PROTECTED]: > severity 365464 important Bug#365464: proftpd: net ACLs are buggy Severity set to `important'. > tags 365464 - security Bug#365464: proftpd: net ACLs are buggy Tags were: fixed-upstream pending patch confirmed upstream security Tags remove

Bug#365464: proftpd: net ACLs are buggy

On Wed, May 10, 2006 at 07:29:30AM +0200, Julien BLACHE wrote: > Francesco Paolo Lovergine <[EMAIL PROTECTED]> wrote: > > Hi, > > >> Huh? It's a IPv6 address, followed by a slash, followed by the number > >> of significant bits in decimal. Just like IPv4. > > > > Sorry, that's not what I meant.

Bug#365464: proftpd: net ACLs are buggy

On Wed, May 10, 2006 at 10:45:49AM +0200, Julien BLACHE wrote: > Francesco Paolo Lovergine <[EMAIL PROTECTED]> wrote: > > > The true problem is admin inconsistency ;) Unfortunately > > :::10.0.0.0/24 is a perfectly valid CIDR notation, but IS NOT what a > > naive user would expect, because IPV

Bug#365464: proftpd: net ACLs are buggy

Francesco Paolo Lovergine <[EMAIL PROTECTED]> wrote: > The true problem is admin inconsistency ;) Unfortunately > :::10.0.0.0/24 is a perfectly valid CIDR notation, but IS NOT what a > naive user would expect, because IPV6 CIDR are on a 128bit range. So using > that notation indeed open the da

Bug#365464: proftpd: net ACLs are buggy

Francesco Paolo Lovergine <[EMAIL PROTECTED]> wrote: Hi, >> Huh? It's a IPv6 address, followed by a slash, followed by the number >> of significant bits in decimal. Just like IPv4. > > Sorry, that's not what I meant. > > :::192.168.0.0/124 is correct, :::192.168.0.0/24 not. > because th

Bug#365464: proftpd: net ACLs are buggy

On Tue, May 09, 2006 at 09:37:41PM +0200, Florian Weimer wrote: > * Francesco Paolo Lovergine: > > >> According to my notes (I'm offline at the moment), RFC 3513 specifies > >> a syntax for IPv6 prefixes. The syntax is similar to IPv4 prefixes: > >> > >> 0123:4567:89ab:cdef:0123:4567:89ab:cde0

Bug#365464: proftpd: net ACLs are buggy

* Francesco Paolo Lovergine: >> According to my notes (I'm offline at the moment), RFC 3513 specifies >> a syntax for IPv6 prefixes. The syntax is similar to IPv4 prefixes: >> >> 0123:4567:89ab:cdef:0123:4567:89ab:cde0/124 >> > > Which is completely different from the ipv4 cidr indeed. Huh?

Bug#365464: proftpd: net ACLs are buggy

On Tue, May 09, 2006 at 06:18:34PM +0200, Florian Weimer wrote: > * Francesco Paolo Lovergine: > > >> Refusing IPv6 subnets doesn't qualify as a fix for this issue IMHO, > >> but at least it'll fix the hole in the meantime. I wonder how this > >> code can end up in a stable release. > > > I'm not

Bug#365464: proftpd: net ACLs are buggy

* Francesco Paolo Lovergine: >> Refusing IPv6 subnets doesn't qualify as a fix for this issue IMHO, >> but at least it'll fix the hole in the meantime. I wonder how this >> code can end up in a stable release. > I'm not an IPv6 expert but AFAIK IPv4 CIDR notation is simply a non > sense in 128bit

Bug#365464: proftpd: net ACLs are buggy

On Tue, May 09, 2006 at 01:43:14PM +0200, Julien BLACHE wrote: > > An upstream patch is now available to refuse CIDR notation in ipv6 > > addresses. It seems ok to me to manage the issue. > > Would you please confirm that, if you are able to patch yourself the > > package? > > Else i'll go straig

Bug#365464: proftpd: net ACLs are buggy

Francesco Paolo Lovergine <[EMAIL PROTECTED]> wrote: Hi, > An upstream patch is now available to refuse CIDR notation in ipv6 > addresses. It seems ok to me to manage the issue. > Would you please confirm that, if you are able to patch yourself the package? > Else i'll go straight with -7 with t

Bug#365464: proftpd: net ACLs are buggy

tags 365464 + patch tags 365464 + pending tags 365464 + fixed-upstream thanks An upstream patch is now available to refuse CIDR notation in ipv6 addresses. It seems ok to me to manage the issue. Would you please confirm that, if you are able to patch yourself the package? Else i'll go straight wi

Processed: Re: Bug#365464: proftpd: net ACLs are buggy

Processing commands for [EMAIL PROTECTED]: > tags 365464 + patch Bug#365464: proftpd: net ACLs are buggy Tags were: confirmed upstream security Tags added: patch > tags 365464 + pending Bug#365464: proftpd: net ACLs are buggy Tags were: patch confirmed upstream security Tags added: p

Bug#365464: proftpd: net ACLs are buggy

tags 365464 + upstream tags 365464 + confirmed thanks See #2785 on proftpd bugzilla. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Processed: Re: Bug#365464: proftpd: net ACLs are buggy

Processing commands for [EMAIL PROTECTED]: > tags 365464 + upstream Bug#365464: proftpd: net ACLs are buggy Tags were: security Tags added: upstream > tags 365464 + confirmed Bug#365464: proftpd: net ACLs are buggy Tags were: upstream security Tags added: confirmed > thanks Stopping p

Bug#365464: proftpd: net ACLs are buggy

Package: proftpd Version: 1.3.0-4 Severity: grave Tags: security Justification: user security hole Hi, Net ACLs in proftpd 1.3.0 seem to be buggy. Specifying a network using either CIDR notation or a wildcard leads to proftpd granting access to every clients regardless of their IP address. My