Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1730-1] New proftpd-dfsg packages fix SQL injection vul

From Steffen Joeris@1:229/2 to All on Mon Mar 2 22:00:12 2009

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1730-1 [email protected] http://www.debian.org/security/ Steffen Joeris
March 02, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : proftpd-dfsg
Vulnerability : SQL injection vulnerabilites
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-0542 CVE-2009-0543

The security update for proftpd-dfsg in DSA-1727-1 caused a regression
with the postgresql backend. This update corrects the flaw. Also it was discovered that the oldstable distribution (etch) is not affected by the security issues. For reference the original advisory follows.

Two SQL injection vulnerabilities have been found in proftpd, a
virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2009-0542

Shino discovered that proftpd is prone to an SQL injection vulnerability
via the use of certain characters in the username.

CVE-2009-0543

TJ Saunders discovered that proftpd is prone to an SQL injection
vulnerability due to insufficient escaping mechanisms, when multybite
character encodings are used.

For the stable distribution (lenny), these problems have been fixed in
version 1.3.1-17lenny2.

The oldstable distribution (etch) is not affected by these problems.

For the unstable distribution (sid), these problems have been fixed in
version 1.3.2-1.

For the testing distribution (squeeze), these problems will be fixed
soon.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny2.dsc
Size/MD5 checksum: 1348 999a90bce53bdbedb466c330f53930b3
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny2.diff.gz
Size/MD5 checksum: 102454 7aef5be0467c618268e6855853cc6ede
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz
Size/MD5 checksum: 2662056 da40b14c5b8ec5467505c98b4ee4b7b9

Architecture independent packages:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny2_all.deb
Size/MD5 checksum: 194944 c8ff69e853fa9f2d99ac2f2ec6ef1931
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny2_all.deb
Size/MD5 checksum: 1256374 246af0eb2708ed8a95a4b09e6c12eeb6

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_alpha.deb
Size/MD5 checksum: 204606 e7684fb8cea0eab2e70768e649cabfda
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_alpha.deb
Size/MD5 checksum: 204494 0a8af70dbca35c00922dd74ac157950e
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_alpha.deb
Size/MD5 checksum: 783174 412ec178e00e2c81b5ac03c011289cb9
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_alpha.deb
Size/MD5 checksum: 215212 8ed3a97fd48134c095155b80280944f4

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_amd64.deb
Size/MD5 checksum: 744994 088cc61e58bfe5cb69d1a289a01583c9
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_amd64.deb
Size/MD5 checksum: 214394 2f91032b7ed9ac63bd185e44fbd9f9fc
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_amd64.deb
Size/MD5 checksum: 203948 93a20998ec01d0146896715fff2eef4b
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_amd64.deb
Size/MD5 checksum: 203960 2432cb98472f84d422af51b1e73f162f

arm architecture (ARM)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_arm.deb
Size/MD5 checksum: 203054 82374f3091fde19ef25a05c6e84875f3
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_arm.deb
Size/MD5 checksum: 699514 2780b586246090d45c89018a7c55405a
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_arm.deb
Size/MD5 checksum: 203210 4a03125743c3a1648d19063f4f2da049
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_arm.deb
Size/MD5 checksum: 213892 57cd6dd74cc84056983c6bd33b570336

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_armel.deb
Size/MD5 checksum: 708946 be11be15d30a2006e1dc48e66729df5c
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_armel.deb
Size/MD5 checksum: 213904 e90774a0f2b1872c1d263e767098395d
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny2_armel.deb
Size/MD5 checksum: 203448 60fb5e55dac79485ac647428b6352e25
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny2_armel.deb
Size/MD5 checksum: 203348 c374bc03f28fd0c28f4fcc2873044f9f

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny2_i386.deb
Size/MD5 checksum: 688594 4cd06204ef629266c1c8155947a6b6a2
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny2_i386.deb
Size/MD5 checksum: 212258 bafaa0315c5b5297b88b60b8616aac60

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Fri Jun 5 17:52:51 2026
  from Sheboygan, Wi via Telnet
- Gwylbert
  Fri Jun 5 06:28:52 2026
  from Sydney, Nsw via Telnet
- Centurion
  Thu Jun 4 23:42:23 2026
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	150:32:11
Calls:	12,091
Calls today:	4
Files:	15,000
Messages:	6,517,597

[SECURITY] [DSA 1730-1] New proftpd-dfsg packages fix SQL injection vul

Who's Online

Recent Visitors

System Info