Hello, ProFTPD community. The ProFTPD Project team must make the following announcement: X-Force Research at ISS (www.iss.net) has discovered a bug in ProFTPD's handling of ASCII translation. An attacker, by downloading a carefully crafted file, can remotely exploit this bug to create a root shell.. . .
Hello, ProFTPD community. The ProFTPD Project team must make the following announcement: X-Force Research at ISS (www.iss.net) has discovered a bug in ProFTPD's handling of ASCII translation. An attacker, by downloading a carefully crafted file, can remotely exploit this bug to create a root shell.

 Date: Tue, 23 Sep 2003 07:46:01 -0700 (PDT) From: TJ Saunders  To: proftp-announce@lists.sourceforge.net Cc: proftp-devel@lists.sourceforge.net, proftp-user@lists.sourceforge.net Subject: [Proftpd-user] ProFTPD Remote Exploit  -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1  Hello, ProFTPD community. The ProFTPD Project team must make the following announcement:  X-Force Research at ISS (www.iss.net) has discovered a bug in ProFTPD's handling of ASCII translation.  An attacker, by downloading a carefully crafted file, can remotely exploit this bug to create a root shell:      The source distributions on the project FTP server have been replaced with patched versions (hence the 'p' in the filenames); the MD5 checksums and PGP signatures for these patched distributions are listed below.  The old RPMs have been deleted, and new RPMs provided.  All snapshots have been removed from the server.  All ProFTPD users are strongly encouraged to upgrade to one of these distributions as soon as possible.  The ProFTPD Project team would like to heartily thank the X-Force engineers for the responsible and professional way in which they reported the vulnerability, and worked with the ProFTPD Project team to address this issue.  The patched distributions, including PGP signatures and MD5 sums, will soon be available from any of the proftpd mirrors.  Mirrors are available via FTP as:    ftp..proftpd.org  (example: ftp.nl.proftpd.org).  Not all countries have mirrors; however you should select one that is geographically close to you.  The MD5 sums for the source tarballs are:    ca6bbef30253a8af0661fdc618677e5c  proftpd-1.2.7p.tar.bz2   677adebba98488fb6c232f7de898b58a  proftpd-1.2.7p.tar.gz   417e41092610816bd203c3766e96f23b  proftpd-1.2.8p.tar.bz2   abf8409bbd9150494bc1847ace06857a  proftpd-1.2.8p.tar.gz   b89c44467f85eea41f8b1df17f8a0faa  proftpd-1.2.9rc1p.tar.bz2   14ab9868666d68101ed942717a1632d1  proftpd-1.2.9rc1p.tar.gz   27e3f62a5615999adbbebcefa92b4510  proftpd-1.2.9rc2p.tar.bz2   9ce26b461b2fa3d986c9822b85c94e5f  proftpd-1.2.9rc2p.tar.gz  The PGP signatures for the source tarballs are:    proftpd-1.2.7p.tar.bz2:      -----BEGIN PGP SIGNATURE-----     Version: PGP 6.5.8      iQA/AwUAP2+XJbeOiT+lEZdqEQJCuACgjIqCnaiEnwTN9/X1S2XxhRilbCUAnRwb     eupCsaIMU9E/XB1SotySMAeM     =MCrF     -----END PGP SIGNATURE-----    proftpd-1.2.7p.tar.gz:      -----BEGIN PGP SIGNATURE-----     Version: PGP 6.5.8      iQA/AwUAP2+XCreOiT+lEZdqEQJz1ACgz2Z0NIsGc5koqdAaSsmOVAtcPjIAoIUl     qjJUxv/8FlNqe7PrstNwJxJ1     =kUMM     -----END PGP SIGNATURE-----    proftpd-1.2.8p.tar.bz2:      -----BEGIN PGP SIGNATURE-----     Version: PGP 6.5.8      iQA/AwUAP2+XKbeOiT+lEZdqEQJkdwCgwvAvCsexFTi2jUUNJOaKAxyy9D0AoLOh     HL55kzPx+IoMzQZ8N2ZyDm8W     =CXRV     -----END PGP SIGNATURE-----    proftpd-1.2.8p.tar.gz:      -----BEGIN PGP SIGNATURE-----     Version: PGP 6.5.8      iQA/AwUAP2+XEbeOiT+lEZdqEQJWDQCfaTrJw1TszG1pqcNcHrjjFv5t/14AoLKw     wA5+sD8vreT1Q7Nv1KuX3ttQ     =lIhI     -----END PGP SIGNATURE-----    proftpd-1.2.9rc1p.tar.bz2:      -----BEGIN PGP SIGNATURE-----     Version: PGP 6.5.8      iQA/AwUAP2+XLbeOiT+lEZdqEQJcAgCgjHAVTJ9Gfk82XpCoWZ6Aydc2/6MAoIS+     CizbSVdgZtCAMB8lBf68ldiQ     =x5sf     -----END PGP SIGNATURE-----    proftpd-1.2.9rc1p.tar.gz:      -----BEGIN PGP SIGNATURE-----     Version: PGP 6.5.8      iQA/AwUAP2+XFbeOiT+lEZdqEQL89QCgjNsnNh9yTDzSv3gGsduvps850eYAoJcY     9e+UykVc3pqUByzEpskd3tnN     =zOxx     -----END PGP SIGNATURE-----    proftpd-1.2.9rc2p.tar.bz2:      -----BEGIN PGP SIGNATURE-----     Version: PGP 6.5.8      iQA/AwUAP2+XMbeOiT+lEZdqEQKZDACeNmNmMi5GpoMpxZ3bCQkzJox9P88AoOhE     96Z2dRyVg+olgMfILsLGTgyH     =sZq5     -----END PGP SIGNATURE-----    proftpd-1.2.9rc2p.tar.gz:      -----BEGIN PGP SIGNATURE-----     Version: PGP 6.5.8      iQA/AwUAP2+XGLeOiT+lEZdqEQILWQCeN2BB/f3euf2Jw3WhG/s2SX/Zni0An3Md     YDBSMvQ1WG4/XV+EUrPR07a5     =cOs7     -----END PGP SIGNATURE-----  My PGP key has been used to sign the source tarballs as well as this announcement; it is available via MIT's public keyserver.  -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8  iQA/AwUBP3Bgo7eOiT+lEZdqEQKc7wCgjNunSMRpnlENcIfvD7HJQ3ztR+0AmgP6 TAtnk6j+hNgJxnb6fMWr9PpO =5hhJ -----END PGP SIGNATURE-----  ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. https://www.gamestop.com/collectibles