Lucene search

DebianDEBIAN:DLA-2115-2:EAF63

HistoryMar 02, 2020 - 6:26 p.m.

[SECURITY] [DLA 2115-2] proftpd-dfsg regression update

2020-03-0218:26:14

lists.debian.org

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.07 Low

EPSS

Percentile

94.0%

JSON

Package : proftpd-dfsg
Version : 1.3.5e+r1.3.5-2+deb8u7
CVE ID : CVE-2020-9273

It was discovered that there was a regression in a previous fix for a
use-after-free vulnerability in the proftpd-dfsg FTP server.

Exploitation of the original vulnerability within the memory pool handling
could have allowed a remote attacker to execute arbitrary code on the
affected system. However, the fix that was released in proftpd-dfsg
version 1.3.5e+r1.3.5-2+deb8u6 had a regression around the handling
of log formatting.

For more information, please see:

https://github.com/proftpd/proftpd/issues/903

For Debian 8 "Jessie", this issue has been fixed in proftpd-dfsg version
1.3.5e+r1.3.5-2+deb8u7.

We recommend that you upgrade your proftpd-dfsg packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Regards,

  ,&#x27;&#x27;`.
 : :&#x27;  :     Chris Lamb
 `. `&#x27;`      [email protected] / chris-lamb.co.uk
   `-

OSVersionArchitecturePackageVersionFilename
Debian10mipselproftpd-mod-mysql-dbgsym< 1.3.6-4+deb10u4proftpd-mod-mysql-dbgsym_1.3.6-4+deb10u4_mipsel.deb
Debian10arm64proftpd-mod-ldap< 1.3.6-4+deb10u4proftpd-mod-ldap_1.3.6-4+deb10u4_arm64.deb
Debian10s390xproftpd-mod-ldap< 1.3.6-4+deb10u4proftpd-mod-ldap_1.3.6-4+deb10u4_s390x.deb
Debian9arm64proftpd-basic< 1.3.5b-4+deb9u4proftpd-basic_1.3.5b-4+deb9u4_arm64.deb
Debian10armelproftpd-mod-ldap-dbgsym< 1.3.6-4+deb10u4proftpd-mod-ldap-dbgsym_1.3.6-4+deb10u4_armel.deb
Debian10armelproftpd-mod-sqlite-dbgsym< 1.3.6-4+deb10u4proftpd-mod-sqlite-dbgsym_1.3.6-4+deb10u4_armel.deb
Debian10s390xproftpd-mod-sqlite-dbgsym< 1.3.6-4+deb10u4proftpd-mod-sqlite-dbgsym_1.3.6-4+deb10u4_s390x.deb
Debian8amd64proftpd-basic< 1.3.5e+r1.3.5-2+deb8u7proftpd-basic_1.3.5e+r1.3.5-2+deb8u7_amd64.deb
Debian10amd64proftpd-mod-snmp< 1.3.6-4+deb10u4proftpd-mod-snmp_1.3.6-4+deb10u4_amd64.deb
Debian10i386proftpd-dev< 1.3.6-4+deb10u4proftpd-dev_1.3.6-4+deb10u4_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	mipsel	proftpd-mod-mysql-dbgsym	< 1.3.6-4+deb10u4	proftpd-mod-mysql-dbgsym_1.3.6-4+deb10u4_mipsel.deb
Debian	10	arm64	proftpd-mod-ldap	< 1.3.6-4+deb10u4	proftpd-mod-ldap_1.3.6-4+deb10u4_arm64.deb
Debian	10	s390x	proftpd-mod-ldap	< 1.3.6-4+deb10u4	proftpd-mod-ldap_1.3.6-4+deb10u4_s390x.deb
Debian	9	arm64	proftpd-basic	< 1.3.5b-4+deb9u4	proftpd-basic_1.3.5b-4+deb9u4_arm64.deb
Debian	10	armel	proftpd-mod-ldap-dbgsym	< 1.3.6-4+deb10u4	proftpd-mod-ldap-dbgsym_1.3.6-4+deb10u4_armel.deb
Debian	10	armel	proftpd-mod-sqlite-dbgsym	< 1.3.6-4+deb10u4	proftpd-mod-sqlite-dbgsym_1.3.6-4+deb10u4_armel.deb
Debian	10	s390x	proftpd-mod-sqlite-dbgsym	< 1.3.6-4+deb10u4	proftpd-mod-sqlite-dbgsym_1.3.6-4+deb10u4_s390x.deb
Debian	8	amd64	proftpd-basic	< 1.3.5e+r1.3.5-2+deb8u7	proftpd-basic_1.3.5e+r1.3.5-2+deb8u7_amd64.deb
Debian	10	amd64	proftpd-mod-snmp	< 1.3.6-4+deb10u4	proftpd-mod-snmp_1.3.6-4+deb10u4_amd64.deb
Debian	10	i386	proftpd-dev	< 1.3.6-4+deb10u4	proftpd-dev_1.3.6-4+deb10u4_i386.deb