Debian Bug report logs - #585776
pyftpd: Default username and password vulnerability

version graph

Package: pyftpd; Maintainer for pyftpd is Radovan Garabík <garabik@kassiopeia.juls.savba.sk>; Source for pyftpd is src:pyftpd.

Reported by: Henri Salo <henri@nerv.fi>

Date: Sun, 13 Jun 2010 19:30:02 UTC

Severity: critical

Tags: security

Found in version pyftpd/0.8.4.6

Fixed in versions pyftpd/0.8.5, pyftpd/0.8.4.6+lenny1

Done: Radovan Garabík <garabik@kassiopeia.juls.savba.sk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Radovan Garabík <garabik@kassiopeia.juls.savba.sk>:
Bug#585776; Package pyftpd. (Sun, 13 Jun 2010 19:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Radovan Garabík <garabik@kassiopeia.juls.savba.sk>. (Sun, 13 Jun 2010 19:30:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org, garabik@kassiopeia.juls.savba.sk
Subject: pyftpd: Default username and password vulnerability
Date: Sun, 13 Jun 2010 22:23:59 +0300
Package: pyftpd
Version: 0.8.4.6
Severity: critical
Justification: root security hole
Tags: security

*** Please type your report below this line ***
File /etc/pyftpd/auth_db_config.py contains:

passwd = [('test', 'test', 'CY9rzUYh03PK3k6DJie09g=='),
 ('user', 'users', '7hHLsZBS5AsHqsDKBgwj7g=='),
 ('roxon', 'users', 'ItZ2pB7rPmzFV6hrtdnZ7A==')]

These accounts can be used to login to the FTP-server and read
arbitrary files and list directories. File perm_acl_config.py lists
user permissions.

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
(ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash

Versions of packages pyftpd depends on:
ii  python                        2.5.2-3    An interactive high-level
object-o ii  python-central                0.6.8      register and
build utility for Pyt

Versions of packages pyftpd recommends:
ii  python-tk                     2.5.2-1    Tkinter - Writing Tk
applications 

pyftpd suggests no packages.

-- no debconf information




Reply sent to Radovan Garabík <garabik@kassiopeia.juls.savba.sk>:
You have taken responsibility. (Mon, 14 Jun 2010 15:39:13 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Mon, 14 Jun 2010 15:39:13 GMT) Full text and rfc822 format available.

Message #10 received at 585776-close@bugs.debian.org (full text, mbox):

From: Radovan Garabík <garabik@kassiopeia.juls.savba.sk>
To: 585776-close@bugs.debian.org
Subject: Bug#585776: fixed in pyftpd 0.8.5
Date: Mon, 14 Jun 2010 15:38:04 +0000
Source: pyftpd
Source-Version: 0.8.5

We believe that the bug you reported is fixed in the latest version of
pyftpd, which is due to be installed in the Debian FTP archive:

pyftpd_0.8.5.dsc
  to main/p/pyftpd/pyftpd_0.8.5.dsc
pyftpd_0.8.5.tar.gz
  to main/p/pyftpd/pyftpd_0.8.5.tar.gz
pyftpd_0.8.5_all.deb
  to main/p/pyftpd/pyftpd_0.8.5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 585776@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Radovan Garabík <garabik@kassiopeia.juls.savba.sk> (supplier of updated pyftpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 Jun 2010 16:09:53 +0200
Source: pyftpd
Binary: pyftpd
Architecture: source all
Version: 0.8.5
Distribution: unstable
Urgency: high
Maintainer: Radovan Garabík <garabik@kassiopeia.juls.savba.sk>
Changed-By: Radovan Garabík <garabik@kassiopeia.juls.savba.sk>
Description: 
 pyftpd     - ftp daemon with advanced features
Closes: 585275 585773 585776
Changes: 
 pyftpd (0.8.5) unstable; urgency=high
 .
   * get rid of one last forgotten string exception (closes: #585275)
   * SECURITY: change default configuration - do not include any default users, disable
     anonymous access (closes: #585776)
   * SECURITY: change default logging file to /dev/null (closes: #585773)
Checksums-Sha1: 
 b082bc7e797d576783a5dd3dad35062ba06eee73 757 pyftpd_0.8.5.dsc
 a57dd1d1ac117ab58b0e67444f887ac5f925a3d9 46452 pyftpd_0.8.5.tar.gz
 cfd1e15abcae9e39421bc866dcf9fa29be92a5ac 36230 pyftpd_0.8.5_all.deb
Checksums-Sha256: 
 736a39a685be0f16bab1a832fcbd4cd67eaba3ecad8cb076678c094e00a881c3 757 pyftpd_0.8.5.dsc
 f7883c78a15c634792b0c48241cb41c29481cddb9bc129d163615c764b4c8d20 46452 pyftpd_0.8.5.tar.gz
 1265d4acc4c751f42cc6c500302662cb9d50b4d50268da2bc45d523267a95a64 36230 pyftpd_0.8.5_all.deb
Files: 
 d369b949a92c9831ecb3a5b580c22eb2 757 net extra pyftpd_0.8.5.dsc
 c431f57facb0defd404e5da99e2ca89a 46452 net extra pyftpd_0.8.5.tar.gz
 b2c07caf8bfd1ff19c990ad6c9275e21 36230 net extra pyftpd_0.8.5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkwWRNQACgkQUBQJxqD+WLjAFgCeORQM94DpwUobLRexAfpx3C2Q
0nMAnRM7iXJjNQrI7zHNl/3PsrNyAKjX
=OGNk
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Radovan Garabík <garabik@kassiopeia.juls.savba.sk>:
Bug#585776; Package pyftpd. (Mon, 14 Jun 2010 20:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Radovan Garabík <garabik@kassiopeia.juls.savba.sk>. (Mon, 14 Jun 2010 20:45:09 GMT) Full text and rfc822 format available.

Message #15 received at 585776@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 585776@bugs.debian.org
Subject: CVE-2010-2073
Date: Mon, 14 Jun 2010 23:33:17 +0300
CVE-2010-2073 is assigned for this issue.




Reply sent to Radovan Garabík <garabik@kassiopeia.juls.savba.sk>:
You have taken responsibility. (Sun, 20 Jun 2010 20:36:12 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Sun, 20 Jun 2010 20:36:12 GMT) Full text and rfc822 format available.

Message #20 received at 585776-close@bugs.debian.org (full text, mbox):

From: Radovan Garabík <garabik@kassiopeia.juls.savba.sk>
To: 585776-close@bugs.debian.org
Subject: Bug#585776: fixed in pyftpd 0.8.4.6+lenny1
Date: Sun, 20 Jun 2010 20:32:09 +0000
Source: pyftpd
Source-Version: 0.8.4.6+lenny1

We believe that the bug you reported is fixed in the latest version of
pyftpd, which is due to be installed in the Debian FTP archive:

pyftpd_0.8.4.6+lenny1.dsc
  to main/p/pyftpd/pyftpd_0.8.4.6+lenny1.dsc
pyftpd_0.8.4.6+lenny1.tar.gz
  to main/p/pyftpd/pyftpd_0.8.4.6+lenny1.tar.gz
pyftpd_0.8.4.6+lenny1_all.deb
  to main/p/pyftpd/pyftpd_0.8.4.6+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 585776@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Radovan Garabík <garabik@kassiopeia.juls.savba.sk> (supplier of updated pyftpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Jun 2010 19:42:14 +0200
Source: pyftpd
Binary: pyftpd
Architecture: source all
Version: 0.8.4.6+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Radovan Garabík <garabik@kassiopeia.juls.savba.sk>
Changed-By: Radovan Garabík <garabik@kassiopeia.juls.savba.sk>
Description: 
 pyftpd     - ftp daemon with advanced features
Closes: 585773 585776
Changes: 
 pyftpd (0.8.4.6+lenny1) stable-security; urgency=high
 .
   * SECURITY: change default configuration - do not include any
     default users, disable anonymous access - CVE-2010-2073
     (closes: #585776)
   * SECURITY: change default logging file to /dev/null -
     CVE-2010-2072 (closes: #585773)
Checksums-Sha1: 
 e3ef1ed9fb1c8c487291be126f6d14022ca30d8a 793 pyftpd_0.8.4.6+lenny1.dsc
 d8d08a695681a938edf0f91929f9fb5c2cc4fd06 46210 pyftpd_0.8.4.6+lenny1.tar.gz
 c9d59b1b0594ce99f8990cc7d7288c0ac9aa9bc5 36220 pyftpd_0.8.4.6+lenny1_all.deb
Checksums-Sha256: 
 eb02689aa045a8b38fe49dff49057d0a583e5ce1cb8ea4bde2ac0a0591c874a5 793 pyftpd_0.8.4.6+lenny1.dsc
 5511abf28f6c5be2d335a4da20ae3dbc259210ee9528ddce209bab8c931627f5 46210 pyftpd_0.8.4.6+lenny1.tar.gz
 02c724a6fe5fb30048ea629c26985f4548c327c7b7ad18a89ce41321a0f30db9 36220 pyftpd_0.8.4.6+lenny1_all.deb
Files: 
 a8c2ae90972e71fd69c616ca24267720 793 net extra pyftpd_0.8.4.6+lenny1.dsc
 bd4d7f31fcf370478d30c963ecde307c 46210 net extra pyftpd_0.8.4.6+lenny1.tar.gz
 b81756d6451187fa4583bfe335c9ab4c 36220 net extra pyftpd_0.8.4.6+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkwaKR0ACgkQUBQJxqD+WLiOvgCcDm5UNPpYCdgcrmT63aQoAhNw
NYoAn2p5aw4tl3uPkvV7mkAmwQUmdMna
=bZqg
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 19 Jul 2010 07:35:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 19:54:22 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.