Re: [da@securityfocus.com: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd)]

From: Haesu (haesu_at_towardex.com)
Date: 09/24/03

  • Next message: Peter Pentchev: "Re: [da@securityfocus.com: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd)]" 
    Date: Wed, 24 Sep 2003 02:20:14 -0400
To: freebsd-security@freebsd.org

    I just want to clarify...

    # $FreeBSD: ports/ftp/proftpd/Makefile,v 1.56 2003/09/23 18:42:43 mharo Exp $
    #

    PORTNAME= proftpd
    PORTVERSION= 1.2.8
    PORTREVISION= 1

    Is that the updated port that fixes vulnerability? It's 1.2.8 still, but I think
    this is the patched version, since rcsID shows 9/23 which is yesterday.

    Thanks,
    -hc 

    -- 
Haesu C.
TowardEX Technologies, Inc.
Consulting, colocation, web hosting, network design and implementation
http://www.towardex.com | haesu@towardex.com
Cell: (978)394-2867     | Office: (978)263-3399 Ext. 174
Fax: (978)263-0033      | POC: HAESU-ARIN
On Wed, Sep 24, 2003 at 01:13:58AM +0100, Jez Han*** wrote:
> Recent proftpd security vulnerability release FYI.  Ports has latest
> patched proftpd distribution.
> -- 
> Jez
> 
> http://www.munk.nu/
> Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq@securityfocus.com>
> List-Help: <mailto:bugtraq-help@securityfocus.com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
> Delivered-To: mailing list bugtraq@securityfocus.com
> Delivered-To: moderator for bugtraq@securityfocus.com
> Date: Tue, 23 Sep 2003 10:25:54 -0600 (MDT)
> From: Dave Ahmad <da@securityfocus.com>
> To: bugtraq@securityfocus.com
> Subject: ISS Security Brief: ProFTPD ASCII File Remote Compromise
> 	Vulnerability (fwd)
> X-Spam-Score: -103.8 (---------------------------------------------------)
> X-Spam-Status: No, hits=-103.8 required=6.0
> 	tests=KNOWN_MAILING_LIST,PGP_SIGNATURE,USER_AGENT_PINE,
> 	      USER_IN_WHITELIST
> 	version=2.55
> X-Spam-Level: 
> X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Internet Security Systems Security Brief
> September 23, 2003
> 
> ProFTPD ASCII File Remote Compromise Vulnerability
> 
> Synopsis:
> 
> ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD
> is a highly configurable FTP (File Transfer Protocol) server for Unix
> that allows for per-directory access restrictions, easy configuration of
> virtual FTP servers, and support for multiple authentication mechanisms.
> A flaw exists in the ProFTPD component that handles incoming ASCII file
> transfers.
> 
> Impact:
> 
> An attacker capable of uploading files to the vulnerable system can
> trigger a buffer overflow and execute arbitrary code to gain complete
> control of the system. Attackers may use this vulnerability to destroy,
> steal, or manipulate data on vulnerable FTP sites.
> 
> Affected Versions:
> 
> ProFTPD 1.2.7
> ProFTPD 1.2.8
> ProFTPD 1.2.8rc1
> ProFTPD 1.2.8rc2
> ProFTPD 1.2.9rc1
> ProFTPD 1.2.9rc2
> 
> Note: Versions previous to version 1.2.7 may also be vulnerable.
> 
> For the complete ISS X-Force Security Advisory, please visit:
> http://xforce.iss.net/xforce/alerts/id/154
> 
> ______
> 
> About Internet Security Systems (ISS)
> Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
> pioneer and world leader in software and services that protect critical
> online resources from an ever-changing spectrum of threats and misuse.
> Internet Security Systems is headquartered in Atlanta, GA, with
> additional operations throughout the Americas, Asia, Australia, Europe
> and the Middle East.
> 
> Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved
> worldwide.
> 
> Permission is hereby granted for the electronic redistribution of this
> document. It is not to be edited or altered in any way without the
> express written consent of the Internet Security Systems X-Force. If you
> wish to reprint the whole or any part of this document in any other
> medium excluding electronic media, please email xforce@iss.net for
> permission.
> 
> Disclaimer: The information within this paper may change without notice.
> Use of this information constitutes acceptance for use in an AS IS
> condition. There are NO warranties, implied or otherwise, with regard to
> this information or its use. Any use of this information is at the
> user's risk. In no event shall the author/distributor (Internet Security
> Systems X-Force) be held liable for any damages whatsoever arising out
> of or in connection with the use or spread of this information.
> X-Force PGP Key available on MIT's PGP key server and PGP.com's key server,
> as well as at http://www.iss.net/security_center/sensitive.php
> Please send suggestions, updates, and comments to: X-Force
> xforce@iss.net of Internet Security Systems, Inc.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> 
> iQCVAwUBP3BeFTRfJiV99eG9AQG2ngP/XopPpEYCbR6HSYhObaK+c2D32kwfiQEP
> CJqXmoljU661kBKvL2RclLF8tutegL3T44/5utBuVgzCWALSRrJiJgZMWafRtE7m
> lnl7V5Rzo7aEBxhmiaOqdLoNgzNd8NTtSkPrcFQZxjrQe9FvpIgsyiuY6ADNoDfH
> mXStpCwCFWg=
> =TZR3
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Peter Pentchev: "Re: [da@securityfocus.com: ISS Security Brief: ProFTPD ASCII File Remote Compromise Vulnerability (fwd)]"
    • Quantcast