[SECURITY] [DLA 2115-2] proftpd-dfsg regression update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2115-2] proftpd-dfsg regression update
From: "Chris Lamb" <lamby@debian.org>
Date: Mon, 02 Mar 2020 10:26:14 -0800
Message-id: <[🔎] 9fb18b9b-c98d-4e80-a4e2-d381dcb67a8f@sloti26t01>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : proftpd-dfsg
Version        : 1.3.5e+r1.3.5-2+deb8u7
CVE ID         : CVE-2020-9273

It was discovered that there was a regression in a previous fix for a
use-after-free vulnerability in the proftpd-dfsg FTP server.

Exploitation of the original vulnerability within the memory pool handling
could have allowed a remote attacker to execute arbitrary code on the
affected system. However, the fix that was released in proftpd-dfsg
version 1.3.5e+r1.3.5-2+deb8u6 had a regression around the handling
of log formatting.

For more information, please see:

  https://github.com/proftpd/proftpd/issues/903

For Debian 8 "Jessie", this issue has been fixed in proftpd-dfsg version
1.3.5e+r1.3.5-2+deb8u7.

We recommend that you upgrade your proftpd-dfsg packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl5dT6MACgkQHpU+J9Qx
Hlg12RAAxjvWQ2MCsU7DIIkVujp4pFA3gbXglaQtj7GPgnvOD7+E/CbIpS5h4ChQ
elFscK6MNCWqeU0F0qbjmE0R55PDiCuTiLGgYHg+j3mPkFHsS31BJEQ+jXORIVPK
pXcJWSYIpQhi3zwbeQMkeN/K4Cm+NI++iXNUCELVOMLBX4N1Wix+2zkERMb3pXsw
ZODRIKRpi0NpMrP1xYxOxK1vVSMVbxu97SLT0DsyFPG7jmjcm7c/xlPyjR2mKnij
KA1zNWE/rFQuuEacLVMI/B68I3hnRgGjt1oexmitxTU8AjqAsnt60wsHQcDR2NF+
olHglbca8V8jjs07gjnWEvE8zVvcFCUNXGsb4UYtrGSvL3unhI5ogi4Tp/jw/mfL
ReFi4iLyW5GpqlE1BSAMEpATotlk+jSS0sUDuGVG0T1ybA9Sn64lF7wxUcr3IZw1
FK772xh+C76VjU7VmSTVDSXyO9OjJ13edh3ZCu5DFbVEpd1SBLYrkhdPH3pDoLj+
ApC6G4uOQ51iO/grMEmKkk4AEdMUCnr2o2CUYZg8iNGeAegEOkohr/p2m+x3Cn+8
v1BICuxjegq8XEz4/+mfKfLRnimHvgloEG2QfIANiREBEH4DQ8Wc3vG+fbo4KT7+
UdLudt2L4rLXaPLXq7aMX2oxdbBgrfqpYlE665boHGmkA06NYo4=
=K8+l
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2114-1] linux-4.9 security update
Next by Date: [SECURITY] [DLA 2131-2] rrdtool regression update
Previous by thread: [SECURITY] [DLA 2114-1] linux-4.9 security update
Next by thread: [SECURITY] [DLA 2131-2] rrdtool regression update
Index(es):
- Date
- Thread