Debian Security Advisory
proftpd -- buffer overflows in proftpd
- Date Reported:
- 11 Nov 1999
- Affected Packages:
- proftpd
- Vulnerable:
- Yes
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 650.
- More information:
- The proftpd version that was distributed in Debian
GNU/Linux 2.1 had several buffer overruns that could be exploited by remote
attackers. A short list of problems:
- user input was used in snprintf() without sufficient checks
- there was an overflow in the log_xfer() routine
- you could overflow a buffer by using very long pathnames
Please note that this is not meant to be an exhaustive list.
In addition to the security fixes a couple of Y2K problems were also fixed.
See this SUSE Security (1999 Sep 0052) announcement and BugTraq lists (1999 Sep 0337), for additional information.
We have made a new package with version 1.2.0pre9-4 to address these issues, and we recommend to upgrade your proftpd package immediately.
- Fixed in:
-
- Source:
- http://security.debian.org/dists/slink/updates/source/proftpd_1.2.0pre9-4.diff.gz
- http://security.debian.org/dists/slink/updates/source/proftpd_1.2.0pre9-4.dsc
- http://security.debian.org/dists/slink/updates/source/proftpd_1.2.0pre9.orig.tar.gz
- Alpha:
- http://security.debian.org/dists/slink/updates/binary-alpha/proftpd_1.2.0pre9-4_alpha.deb
- i386:
- http://security.debian.org/dists/slink/updates/binary-i386/proftpd_1.2.0pre9-4_i386.deb
- m68k:
- http://security.debian.org/dists/slink/updates/binary-m68k/proftpd_1.2.0pre9-4_m68k.deb
- Sparc:
- http://security.debian.org/dists/slink/updates/binary-sparc/proftpd_1.2.0pre9-4_sparc.deb