http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2165 http://bugs.proftpd.org/show_bug.cgi?id=2922 "The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd."
Still no backport of the patch to the stable 1.3.0a release. It's pretty annoying, since the patch against the latest RC doesn't apply cleanly because of variable name changes. I tried to backport it, but the risk in _me_ doing so is just too high. I really don't understand how/why projects decide to not provide security patches for what they consider to be the current stable release... I'm going to push new proftpd packages anyway, to fix bug #244168 but not this bug, unfortunately :-(
Still no patches backported to 1.3.0a, so I've at least pushed 1.3.1rc3 to devel (F8) since it fixes all know vulnerabilities, and should be more than stable enough for inclusion. Maybe later backporting it to all current releases would make sense...
Any further news here? Also, if the 1.3.1rc3 is working fine in devel, would you consider pushing to epel? or is it too disruptive going from 1.3.0a to 1.3.1rc3?
I've updated devel to 1.3.1 final, now that it's out. I don't think updating from 1.3.0 to 1.3.1 is too disruptive, but I'm not sure it won't break on some complex setups...
I've had no reports of any problems with 1.3.1, so I'll push it in F-7 testing updates. If everything looks good once it's there, then it should be possible to push it to stable.
proftpd-1.3.1-2.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update proftpd'
proftpd-1.3.1-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Reopening for Werewolf.
I'm confused. The package in F-7 updates has been newer than that one in F-8 for ages, and I haven't received any nag mails about it. Still they're all 1.3.1, so the security fix is included. Nevertheless, I'll be pushing 1.3.1-3 as an F-8 update.
How about also updating EPEL-5 too? It has version 1.3.0a still...
(In reply to comment #10) > How about also updating EPEL-5 too? > It has version 1.3.0a still... Ouch, you're absolutely right! I'll do that now. I still can't reproduce the EL-4 build failure from bug #250223 on my machine, so I think I'll give up on EL-4 proftpd, though.
Both EL-5 and EL4 build fine, so those are updated too now.
proftpd-1.3.1-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.