Lucene search

K
debianDebianDEBIAN:C3198C7038C741D18B1B552AA2E029E6:E7DF7
HistoryJan 26, 2010 - 9:06 p.m.

[Backports-security-announce] Security Update for proftpd-dfsg

2010-01-2621:06:44
lists.debian.org
28

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.005

Percentile

75.8%

Francesco P. Lovergine uploaded new packages for proftpd-dfsg which fixed the
following security problem:

CVE-2009-3639

The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2,
when the dNSNameRequired TLS option is enabled, does not properly
handle a '\0' character in a domain name in the Subject Alternative
Name field of an X.509 client certificate, which allows remote
attackers to bypass intended client-hostname restrictions via a crafted
certificate issued by a legitimate Certification Authority, a related
issue to CVE-2009-2408.

For the etch-backports distribution the problems have been fixed in
version 1.3.1-17lenny4~bpo40+1.

For the lenny and sid distributions the problems have been fixed in version
1.3.1-17lenny4 and 1.3.2b-1.

Upgrade instructions

If you don't use pinning (see [1]) you have to update the packages
manually via "apt-get -t etch-backports install <packagelist>" with the
packagelist of your installed packages affected by this update.
[1] <http://backports.org/dokuwiki/doku.php?id=instructions&gt;

We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically:

Package: *
Pin: release a=etch-backports
Pin-Priority: 200

Attachment:
signature.asc
Description: Digital signature

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.005

Percentile

75.8%