Debian: DSA-1727-1: New proftpd-dfsg packages fix SQL injection vulnerabilites

    Date26 Feb 2009
    CategoryDebian
    30
    Posted ByLinuxSecurity Advisories
    Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 1727-1                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                             Steffen Joeris
    February 26th, 2009                     http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : proftpd-dfsg
    Vulnerability  : SQL injection vulnerabilites
    Problem type   : remote
    Debian-specific: no
    CVE Ids        : CVE-2009-0542 CVE-2009-0543
    
    Two SQL injection vulnerabilities have been found in proftpd, a
    virtual-hosting FTP daemon.  The Common Vulnerabilities and Exposures
    project identifies the following problems:
    
    CVE-2009-0542
    
        Shino discovered that proftpd is prone to an SQL injection
        vulnerability via the use of certain characters in the username.
    
    CVE-2009-0543
    
        TJ Saunders discovered that proftpd is prone to an SQL injection
        vulnerability due to insufficient escaping mechanisms, when
        multybite character encodings are used.
    
    For the stable distribution (lenny), these problems have been fixed in
    version 1.3.1-17lenny1.
    
    For the oldstable distribution (etch), these problems will be fixed
    soon.
    
    For the testing distribution (squeeze), these problems will be fixed
    soon.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 1.3.2-1.
    
    We recommend that you upgrade your proftpd-dfsg package.
    
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given at the end of this advisory:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
      Source archives:
    
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.dsc
          Size/MD5 checksum:     1348 bb4118976a78b6eef4356123b4e322da
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.diff.gz
          Size/MD5 checksum:   102388 7873fdab33c5e044dce721300d496d7e
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz
          Size/MD5 checksum:  2662056 da40b14c5b8ec5467505c98b4ee4b7b9
    
      Architecture independent components:
    
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny1_all.deb
          Size/MD5 checksum:  1256300 f0e73bd54793839c802b3c3ce85bb123
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny1_all.deb
          Size/MD5 checksum:   194896 cda6edb78e4a5ab9c8a90cfdaeb19b32
    
      AMD64 architecture:
    
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_amd64.deb
          Size/MD5 checksum:   744914 4c09f5af5f825f0c068f3dce4a1c7a84
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_amd64.deb
          Size/MD5 checksum:   214334 eb8f6f56afda836f85f6d808a6086c6a
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_amd64.deb
          Size/MD5 checksum:   203878 8d13ce2c0d2c15eec496d3e014aa1ea3
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_amd64.deb
          Size/MD5 checksum:   203902 ce74fcf7e0f082fcf4454120e984a0c3
    
      ARM architecture:
    
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_arm.deb
          Size/MD5 checksum:   696884 cab353aa755852b2c07916f234268e39
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_arm.deb
          Size/MD5 checksum:   213832 faad0df7dab14fdca108c6370ae3edf0
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_arm.deb
          Size/MD5 checksum:   203260 3940f22df22db3ce6a3644a22b68e82b
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_arm.deb
          Size/MD5 checksum:   203448 35f6cb99d5f9886d74a8a1e72df36a2d
    
      Intel IA-32 architecture:
    
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_i386.deb
          Size/MD5 checksum:   688540 bdcbe2b33ed58bf474824c4639dcfb99
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_i386.deb
          Size/MD5 checksum:   212208 bcb4bce6c950fe4fd416fcf9e97b79f6
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_i386.deb
          Size/MD5 checksum:   203074 55e8334da716aeb8efe43803c8f71d00
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_i386.deb
          Size/MD5 checksum:   203054 189e02b962d043af8bbb0b29ac61e881
    
      Intel IA-64 architecture:
    
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_ia64.deb
          Size/MD5 checksum:   980498 6129efd03c600138d89d341dfd2b9641
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_ia64.deb
          Size/MD5 checksum:   221974 3aea4ff6d0dd4729a901a21ddfefe18c
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_ia64.deb
          Size/MD5 checksum:   207238 2670aca7f909b86c6b567e2a1ac44917
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_ia64.deb
          Size/MD5 checksum:   207126 9f52b57603c3d47c354edb2c460e0aa1
    
      Big endian MIPS architecture:
    
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_mips.deb
          Size/MD5 checksum:   691342 6d88d7863198638c168ac1de05d5cb49
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_mips.deb
          Size/MD5 checksum:   212038 d1e82db5072e2f62f5f84e2daf86f978
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_mips.deb
          Size/MD5 checksum:   203104 f59921ea889ce268bdf36d54285ae3ed
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_mips.deb
          Size/MD5 checksum:   203032 89a9deeecb78e593cd2499c6b5bdcff1
    
      Little endian MIPS architecture:
    
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_mipsel.deb
          Size/MD5 checksum:   688780 041668e9d855af2d5b6c010a783e66bc
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_mipsel.deb
          Size/MD5 checksum:   211596 b8c5e6fa91a952ecb304610d42b7819d
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_mipsel.deb
          Size/MD5 checksum:   203172 32c0cd6a98215dc943b35354b999041a
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_mipsel.deb
          Size/MD5 checksum:   203064 72cad0d3aea5aaef1535294da306f989
    
      PowerPC architecture:
    
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_powerpc.deb
          Size/MD5 checksum:   776798 0bdd119672b2ce4a57229f791e4740a5
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_powerpc.deb
          Size/MD5 checksum:   218006 e3ca91a5e057086a28ee00d698505171
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_powerpc.deb
          Size/MD5 checksum:   205758 75db9214e07ca88a71371731d3b445d7
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_powerpc.deb
          Size/MD5 checksum:   205942 c1ae0f701446f8e71b58d51f9cbdd31b
    
      IBM S/390 architecture:
    
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_s390.deb
          Size/MD5 checksum:   739296 3297f0d1b3add5d9b34ffddbfb192c0b
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_s390.deb
          Size/MD5 checksum:   214182 2ee7910d17befa48c491e3303f825d6a
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_s390.deb
          Size/MD5 checksum:   204150 2c7622b4ba0a1fce7ac5c862be2d7163
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_s390.deb
          Size/MD5 checksum:   204266 be2aac143d55ad96c1a705712998947c
    
      Sun Sparc architecture:
    
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_sparc.deb
          Size/MD5 checksum:   701314 7d15073aba40282034905f0b98537fbf
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_sparc.deb
          Size/MD5 checksum:   213518 a5ae26d4877378b69350a780d91a20f9
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_sparc.deb
          Size/MD5 checksum:   203274 ac2e2659e6865eefc9b92be8d74f75b9
        http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_sparc.deb
          Size/MD5 checksum:   203550 83e40d59d94f86ddd761f5c93df0e945
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.