Debian Bug report logs - #339074
linux-ftpd-ssl: Remotely exploitable buffer overflow

version graph

Package: linux-ftpd-ssl; Maintainer for linux-ftpd-ssl is Ian Beckwith <ianb@debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Mon, 14 Nov 2005 20:33:06 UTC

Severity: grave

Tags: security

Fixed in version linux-ftpd-ssl/0.17.18+0.3-5

Done: Cai Qian <caiqian@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Cai Qian <caiqian@debian.org>:
Bug#339074; Package linux-ftpd-ssl. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Cai Qian <caiqian@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: linux-ftpd-ssl: Remotely exploitable buffer overflow
Date: Mon, 14 Nov 2005 21:22:30 +0100
Package: linux-ftpd-ssl
Severity: grave
Tags: security
Justification: user security hole

A remotely exploitable buffer overflow has been found in linux-ftpd-ssl.
Please see http://seclists.org/lists/fulldisclosure/2005/Nov/0140.html for
a PoC exploit. 
A proposed patch is available at
http://seclists.org/lists/fulldisclosure/2005/Nov/0147.html

This has been assigned CVE-2005-3524, please mention this in the changelog
when fixing it.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Reply sent to Cai Qian <caiqian@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 339074-close@bugs.debian.org (full text, mbox):

From: Cai Qian <caiqian@debian.org>
To: 339074-close@bugs.debian.org
Subject: Bug#339074: fixed in linux-ftpd-ssl 0.17.18+0.3-5
Date: Fri, 18 Nov 2005 09:47:28 -0800
Source: linux-ftpd-ssl
Source-Version: 0.17.18+0.3-5

We believe that the bug you reported is fixed in the latest version of
linux-ftpd-ssl, which is due to be installed in the Debian FTP archive:

ftpd-ssl_0.17.18+0.3-5_i386.deb
  to pool/main/l/linux-ftpd-ssl/ftpd-ssl_0.17.18+0.3-5_i386.deb
linux-ftpd-ssl_0.17.18+0.3-5.diff.gz
  to pool/main/l/linux-ftpd-ssl/linux-ftpd-ssl_0.17.18+0.3-5.diff.gz
linux-ftpd-ssl_0.17.18+0.3-5.dsc
  to pool/main/l/linux-ftpd-ssl/linux-ftpd-ssl_0.17.18+0.3-5.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 339074@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cai Qian <caiqian@debian.org> (supplier of updated linux-ftpd-ssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 18 Nov 2005 17:27:01 +0000
Source: linux-ftpd-ssl
Binary: ftpd-ssl
Architecture: source i386
Version: 0.17.18+0.3-5
Distribution: unstable
Urgency: high
Maintainer: Cai Qian <caiqian@debian.org>
Changed-By: Cai Qian <caiqian@debian.org>
Description: 
 ftpd-ssl   - FTP server with SSL encryption support
Closes: 339074
Changes: 
 linux-ftpd-ssl (0.17.18+0.3-5) unstable; urgency=high
 .
   * applied security patch for CVE-2005-3524. (Closes: #339074)
Files: 
 16b9147058f51e0889baf3e3e4e8d7df 919 net extra linux-ftpd-ssl_0.17.18+0.3-5.dsc
 9adccf50c7c24811259ff7dac8663744 5498 net extra linux-ftpd-ssl_0.17.18+0.3-5.diff.gz
 95e4529ef02e753c041fd8b27a531510 48284 net extra ftpd-ssl_0.17.18+0.3-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBQ34Ql8SMJEo6oWZwAQLEqQgAgL0pXh6MHdHSfIxqsvmM037au7O/rFQk
rJ/Z5rNWAq6y05ZHbepcTyBLI/ILXknSmeXzKkvA401Wq/mxDadFooDctoKG+7jk
A5YHp5S2MaINDW1nKofzZC118W7GFwAZShUU5zNKlwXpR0ZzxbrH8ODvSQDMePEH
RNBk7/6A8F1ahkSC2R3DuMwqVspb4+2M9vPAt5RHLuttOD1iT3cxOb2lIWE6mDS+
a8mSu/UlKYsjtPXqKWiOa9ZIBNUqZPL9n+jA4UeseWNgxeAXjqEhP5sydQdX+kCy
/xmGW/IgVyLZpB0dtb0JkmEDSN33nSclFK0wm1M0vzJ9JfUeDHccSw==
=Xmts
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 13:39:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:08:48 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.