Alerta de Segurança Debian

DSA-338-1 proftpd -- injeção SQL

Data do Alerta:
29 Jun 2003
Pacotes Afetados:
proftpd
Vulnerável:
Sim
Referência à base de dados de segurança:
Na base de dados do BugTraq (na SecurityFocus): ID BugTraq 7974.
No dicionário CVE do Mitre: CVE-2003-0500.
Informações adicionais:

runlevel [runlevel@raregazz.org] relatou que o módulo de autenticação PostgreSQL do ProFTPD é vulnerável a um ataque de injeção de código SQL. Esta vulnerabilidade pode ser explorada por atacante remoto não autenticado para executar instruções SQL arbitrárias, expondo potencialmetne as senhas dos outros usuários ou para conectar o ProFTPD como um usuário arbitrário sem fornecer a senha correta.

Na atual distribuição estável (woody) este problema foi corrigido na versão 1.2.4+1.2.5rc1-5woody2.

Na distribuição instável (sid) este problema foi corrigido na versão 1.2.8-8.

Nós recomendamos que você atualize seus pacotes proftpd.

Corrigido em:

Debian GNU/Linux 3.0 (woody)

Fonte:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2.dsc
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2.tar.gz
Componente independente de arquitetura:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-doc_1.2.4+1.2.5rc1-5woody2_all.deb
Alpha:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2_alpha.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.4+1.2.5rc1-5woody2_alpha.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.4+1.2.5rc1-5woody2_alpha.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.4+1.2.5rc1-5woody2_alpha.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.4+1.2.5rc1-5woody2_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2_arm.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.4+1.2.5rc1-5woody2_arm.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.4+1.2.5rc1-5woody2_arm.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.4+1.2.5rc1-5woody2_arm.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.4+1.2.5rc1-5woody2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2_i386.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.4+1.2.5rc1-5woody2_i386.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.4+1.2.5rc1-5woody2_i386.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.4+1.2.5rc1-5woody2_i386.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.4+1.2.5rc1-5woody2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2_ia64.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.4+1.2.5rc1-5woody2_ia64.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.4+1.2.5rc1-5woody2_ia64.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.4+1.2.5rc1-5woody2_ia64.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.4+1.2.5rc1-5woody2_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2_hppa.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.4+1.2.5rc1-5woody2_hppa.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.4+1.2.5rc1-5woody2_hppa.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.4+1.2.5rc1-5woody2_hppa.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.4+1.2.5rc1-5woody2_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2_m68k.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.4+1.2.5rc1-5woody2_m68k.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.4+1.2.5rc1-5woody2_m68k.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.4+1.2.5rc1-5woody2_m68k.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.4+1.2.5rc1-5woody2_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2_mips.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.4+1.2.5rc1-5woody2_mips.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.4+1.2.5rc1-5woody2_mips.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.4+1.2.5rc1-5woody2_mips.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.4+1.2.5rc1-5woody2_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2_mipsel.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.4+1.2.5rc1-5woody2_mipsel.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.4+1.2.5rc1-5woody2_mipsel.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.4+1.2.5rc1-5woody2_mipsel.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.4+1.2.5rc1-5woody2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2_powerpc.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.4+1.2.5rc1-5woody2_powerpc.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.4+1.2.5rc1-5woody2_powerpc.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.4+1.2.5rc1-5woody2_powerpc.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.4+1.2.5rc1-5woody2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2_s390.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.4+1.2.5rc1-5woody2_s390.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.4+1.2.5rc1-5woody2_s390.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.4+1.2.5rc1-5woody2_s390.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.4+1.2.5rc1-5woody2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2_sparc.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.4+1.2.5rc1-5woody2_sparc.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.4+1.2.5rc1-5woody2_sparc.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.4+1.2.5rc1-5woody2_sparc.deb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.4+1.2.5rc1-5woody2_sparc.deb

Checksums MD5 dos arquivos listados estão disponíveis no alerta original.