Debian: DSA-1730-1: New proftpd-dfsg packages fix SQL injection vulnerabilites

    Date02 Mar 2009
    CategoryDebian
    80
    Posted ByLinuxSecurity Advisories
    The security update for proftpd-dfsg in DSA-1727-1 caused a regression with the postgresql backend. This update corrects the flaw. Also it was discovered that the oldstable distribution (etch) is not affected by the security issues. For reference the original advisory follows.
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1730-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Steffen Joeris
    March 02, 2009                        http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : proftpd-dfsg
    Vulnerability  : SQL injection vulnerabilites
    Problem type   : remote
    Debian-specific: no
    CVE Id         : CVE-2009-0542 CVE-2009-0543
    
    The security update for proftpd-dfsg in DSA-1727-1 caused a regression
    with the postgresql backend. This update corrects the flaw. Also it was
    discovered that the oldstable distribution (etch) is not affected by the
    security issues. For reference the original advisory follows.
    
    
    Two SQL injection vulnerabilities have been found in proftpd, a
    virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures
    project identifies the following problems:
    
    CVE-2009-0542
    
    Shino discovered that proftpd is prone to an SQL injection vulnerability
    via the use of certain characters in the username.
    
    
    CVE-2009-0543
    
    TJ Saunders discovered that proftpd is prone to an SQL injection
    vulnerability due to insufficient escaping mechanisms, when multybite
    character encodings are used.
    
    
    For the stable distribution (lenny), these problems have been fixed in
    version 1.3.1-17lenny2.
    
    The oldstable distribution (etch) is not affected by these problems.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 1.3.2-1.
    
    For the testing distribution (squeeze), these problems will be fixed
    soon.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny2.dsc
        Size/MD5 checksum:     1348 999a90bce53bdbedb466c330f53930b3
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny2.diff.gz
        Size/MD5 checksum:   102454 7aef5be0467c618268e6855853cc6ede
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz
        Size/MD5 checksum:  2662056 da40b14c5b8ec5467505c98b4ee4b7b9
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny2_all.deb
        Size/MD5 checksum:   194944 c8ff69e853fa9f2d99ac2f2ec6ef1931
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny2_all.deb
        Size/MD5 checksum:  1256374 246af0eb2708ed8a95a4b09e6c12eeb6
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_alpha.deb
        Size/MD5 checksum:   204606 e7684fb8cea0eab2e70768e649cabfda
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_alpha.deb
        Size/MD5 checksum:   204494 0a8af70dbca35c00922dd74ac157950e
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_alpha.deb
        Size/MD5 checksum:   783174 412ec178e00e2c81b5ac03c011289cb9
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_alpha.deb
        Size/MD5 checksum:   215212 8ed3a97fd48134c095155b80280944f4
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_amd64.deb
        Size/MD5 checksum:   744994 088cc61e58bfe5cb69d1a289a01583c9
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_amd64.deb
        Size/MD5 checksum:   214394 2f91032b7ed9ac63bd185e44fbd9f9fc
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_amd64.deb
        Size/MD5 checksum:   203948 93a20998ec01d0146896715fff2eef4b
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_amd64.deb
        Size/MD5 checksum:   203960 2432cb98472f84d422af51b1e73f162f
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_arm.deb
        Size/MD5 checksum:   203054 82374f3091fde19ef25a05c6e84875f3
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_arm.deb
        Size/MD5 checksum:   699514 2780b586246090d45c89018a7c55405a
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_arm.deb
        Size/MD5 checksum:   203210 4a03125743c3a1648d19063f4f2da049
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_arm.deb
        Size/MD5 checksum:   213892 57cd6dd74cc84056983c6bd33b570336
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_armel.deb
        Size/MD5 checksum:   708946 be11be15d30a2006e1dc48e66729df5c
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_armel.deb
        Size/MD5 checksum:   213904 e90774a0f2b1872c1d263e767098395d
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_armel.deb
        Size/MD5 checksum:   203448 60fb5e55dac79485ac647428b6352e25
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_armel.deb
        Size/MD5 checksum:   203348 c374bc03f28fd0c28f4fcc2873044f9f
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_i386.deb
        Size/MD5 checksum:   688594 4cd06204ef629266c1c8155947a6b6a2
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_i386.deb
        Size/MD5 checksum:   212258 bafaa0315c5b5297b88b60b8616aac60
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_i386.deb
        Size/MD5 checksum:   203120 a227e785663434eae3dab1009a0bc62f
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_i386.deb
        Size/MD5 checksum:   203068 48b8a2dd5dff88c7efc712d10194378b
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_ia64.deb
        Size/MD5 checksum:   207290 590a5a7e19eaf9894a7e4ca7daca5b14
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_ia64.deb
        Size/MD5 checksum:   207130 03ca7f3af176a288f34629e858a2ca95
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_ia64.deb
        Size/MD5 checksum:   980558 0ef2425118c7512e57b1cdb71244cef8
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_ia64.deb
        Size/MD5 checksum:   222020 5a7e799ae7a49dc9d90835eb31da6aae
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_mips.deb
        Size/MD5 checksum:   203074 79d45e3f03cb02da954c88cdc02d814d
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_mips.deb
        Size/MD5 checksum:   203200 293e8ae86efc6db5974ea918c97e15d5
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_mips.deb
        Size/MD5 checksum:   211744 392471183f511b5af897ba94ee288c15
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_mips.deb
        Size/MD5 checksum:   688174 67dba7a05c79d64237dc9613556024b1
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_mipsel.deb
        Size/MD5 checksum:   203088 7fe0c3ca99c6a09d0c23132e5079c0ed
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_mipsel.deb
        Size/MD5 checksum:   203232 1686c31ecbc317e5ad06fd82c2561764
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_mipsel.deb
        Size/MD5 checksum:   688842 dace55dd469da8536ad0bd59bbc2be4b
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_mipsel.deb
        Size/MD5 checksum:   211658 6851634f6d477e86639c1251fd099fd7
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_powerpc.deb
        Size/MD5 checksum:   218060 2ed41953d64c3cc937a2b0536f7c2399
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_powerpc.deb
        Size/MD5 checksum:   205960 fc56a5d5bb506410f01096a97097cdf4
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_powerpc.deb
        Size/MD5 checksum:   205814 ecc3ac792892e290cf9e3ffd6d28fc90
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_powerpc.deb
        Size/MD5 checksum:   776858 79a93a35a4ef2f141598ffa73811f57c
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_s390.deb
        Size/MD5 checksum:   204214 7106c2dafe368d8433a4a3ff239e8039
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_s390.deb
        Size/MD5 checksum:   204292 2b3489d42a909772a8a2185bb8d60e1c
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_s390.deb
        Size/MD5 checksum:   214240 5822e4fb227da29983f2cabd119a7e9a
      http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_s390.deb
        Size/MD5 checksum:   739348 87004df746c69fe18a73544977dbd36a
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"39","type":"x","order":"1","pct":50.65,"resources":[]},{"id":"88","title":"Should be more technical","votes":"11","type":"x","order":"2","pct":14.29,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"27","type":"x","order":"3","pct":35.06,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.