Bug 485125 (CVE-2009-0542)
Summary: | CVE-2009-0542 proftpd: SQL injection during login | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | unspecified | CC: | johan-fedora | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-03-29 09:26:12 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 485129, 485130, 485131 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Vincent Danen
2009-02-11 18:28:15 UTC
The upstream bug is here: http://bugs.proftpd.org/show_bug.cgi?id=3180 Created attachment 331600 [details] exploit for this proftpd issue, from bugtraq This comes from bugtraq: http://www.securityfocus.com/archive/1/500851/30/0/threaded Created Fedora tracking bugs for proftpd: 9: bug #485129 10: bug #485130 rawhide: bug #485131 This is fixed in proftpd 1.3.2 and seems to only affect 1.3.1. The upstream bug with this fix is http://bugs.proftpd.org/show_bug.cgi?id=3124. The gentoo BTS also refers to a similar SQL-ish issue, which is upstream bug http://bugs.proftpd.org/show_bug.cgi?id=3173. That issue, however, does not affect us as it only affects protftpd installs with NLS support enabled, which we do not enable (and the default in ./configure is disabled). Noting this here as the gentoo BTS mentions both issues in the report, but only the one noted above actually affects us (although if Fedora updates to 1.3.2, this will be dealt with at the same time). This issue has been assigned CVE-2009-0542. The second issue that doesn't affect us has been assigned CVE-2009-0543 (just noting it here for reference). proftpd-1.3.2a-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/proftpd-1.3.2a-2.fc10 proftpd-1.3.2a-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/proftpd-1.3.2a-3.fc10 proftpd-1.3.2a-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/proftpd-1.3.2a-4.fc10 proftpd-1.3.2a-5.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/proftpd-1.3.2a-5.fc10 proftpd-1.3.2a-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |