Debian Security Advisory
DSA-032-1 proftpd -- proftpd running with incorrect userid, erroneous file removal
- Date Reported:
- 07 Mar 2001
- Affected Packages:
-
proftpd
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2001-0456.
- More information:
- The following problems have been reported for the version
of proftpd in Debian 2.2 (potato):
- There is a configuration error in the postinst script, when the user enters
'yes', when asked if anonymous access should be enabled. The postinst script
wrongly leaves the 'run as uid/gid root' configuration option in
/etc/proftpd.conf, and adds a 'run as uid/gid nobody' option that has no
effect.
- There is a bug that comes up when /var is a symlink, and proftpd is
restarted. When stopping proftpd, the /var symlink is removed; when it's
started again a file named /var is created.
The above problems have been corrected in proftpd-1.2.0pre10-2.0potato1. We
recommend you upgrade your proftpd package immediately.
- Fixed in:
-
Debian 2.2 (potato)
- Source:
-
http://security.debian.org/dists/stable/updates/main/source/proftpd_1.2.0pre10-2.0potato1.diff.gz
-
http://security.debian.org/dists/stable/updates/main/source/proftpd_1.2.0pre10-2.0potato1.dsc
-
http://security.debian.org/dists/stable/updates/main/source/proftpd_1.2.0pre10.orig.tar.gz
- alpha:
-
http://security.debian.org/dists/stable/updates/main/binary-alpha/proftpd_1.2.0pre10-2.0potato1_alpha.deb
- arm:
-
http://security.debian.org/dists/stable/updates/main/binary-arm/proftpd_1.2.0pre10-2.0potato1_arm.deb
- i386:
-
http://security.debian.org/dists/stable/updates/main/binary-i386/proftpd_1.2.0pre10-2.0potato1_i386.deb
- m68k:
-
http://security.debian.org/dists/stable/updates/main/binary-m68k/proftpd_1.2.0pre10-2.0potato1_m68k.deb
- powerpc:
-
http://security.debian.org/dists/stable/updates/main/binary-powerpc/proftpd_1.2.0pre10-2.0potato1.1_powerpc.deb
- sparc:
-
http://security.debian.org/dists/stable/updates/main/binary-sparc/proftpd_1.2.0pre10-2.0potato1_sparc.deb