oss-security - Re: CVE request for proftpd

Openwall Project		/home Owl JtR Pro crypt pam_passwdqc tcb phpass scanlogd popa3d msulogin / Linux BIND / advisories presentations / services donations / wordlists passwords / news community lists wiki CVSweb mirrors signatures
bringing security into open environments

Password Recovery Resources on the Net

[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]

Date: Wed, 11 Feb 2009 10:58:05 -0800 (PST)
From: TJ Saunders <tj@...taglia.org>
To: <oss-security@...ts.openwall.com>
cc: <coley@...us.mitre.org>
Subject: Re: CVE request for proftpd

> An SQL injection vulnerability in proftpd was reported on bugtraq
> yesterday that could allow a user to login to proftpd with any password
> if they use mysql for authentication (and, presumably, postgresql).
> 
> References:
> 
> http://www.securityfocus.com/archive/1/500823/30/0/threaded
> http://bugs.gentoo.org/show_bug.cgi?id=258450
> http://bugs.proftpd.org/show_bug.cgi?id=3180
> https://bugzilla.redhat.com/show_bug.cgi?id=485125

This has been reported on the ProFTPD Bugzilla:

  http://bugs.proftpd.org/show_bug.cgi?id=3180

As discussed there, this is a duplicate of an earlier bug:

  http://bugs.proftpd.org/show_bug.cgi?id=3124

and has been fixed in ProFTPD 1.3.2rc3 and later.

Cheers,
TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   There is a pleasure in the pathless woods,
   There is a rapture on the lonely shore,
   There is society, where none intrudes,
   By the deep sea and music in its roar:
   I love not man the less, but Nature more,
   From these our interviews, in which I steal
   From all I may be, or have been before,
   To mingle with the Universe, and feel
   What I can ne'er express, yet cannot all conceal.

   	-Lord Byron

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.