Debian Bug report logs - #723179
proftpd-dfsg: CVE-2013-4359

version graph

Package: proftpd-dfsg; Maintainer for proftpd-dfsg is ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 17 Sep 2013 06:03:02 UTC

Severity: grave

Tags: patch, security, upstream

Fixed in versions proftpd-dfsg/1.3.4a-5+deb7u1, proftpd-dfsg/1.3.3a-6squeeze7, proftpd-dfsg/1.3.5~rc3-2.1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://bugs.proftpd.org/show_bug.cgi?id=3973

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#723179; Package proftpd-dfsg. (Tue, 17 Sep 2013 06:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>. (Tue, 17 Sep 2013 06:03:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: proftpd-dfsg: CVE-2013-4359
Date: Tue, 17 Sep 2013 07:58:25 +0200
Package: proftpd-dfsg
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for proftpd-dfsg.

CVE-2013-4359[0]:
mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

As far I can read in references however, keyboard interactive
authentication is rare as not enabled by default.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4359
    http://security-tracker.debian.org/tracker/CVE-2013-4359
[1] http://marc.info/?l=oss-security&m=137914240227778&w=2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Fri, 27 Sep 2013 12:12:06 GMT) Full text and rfc822 format available.

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Tue, 01 Oct 2013 19:18:14 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 01 Oct 2013 19:18:14 GMT) Full text and rfc822 format available.

Message #12 received at 723179-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 723179-close@bugs.debian.org
Subject: Bug#723179: fixed in proftpd-dfsg 1.3.4a-5+deb7u1
Date: Tue, 01 Oct 2013 19:17:05 +0000
Source: proftpd-dfsg
Source-Version: 1.3.4a-5+deb7u1

We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated proftpd-dfsg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 28 Sep 2013 16:49:45 +0000
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite
Architecture: source amd64 all
Version: 1.3.4a-5+deb7u1
Distribution: stable-security
Urgency: high
Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
 proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
 proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
 proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
 proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
 proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
 proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
 proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 723179
Changes: 
 proftpd-dfsg (1.3.4a-5+deb7u1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix invalid pool authentication in mod_sftp/mod_sftp_pam during kbdint
     authentication leading to DoS conditions (CVE-2013-4359; Closes: #723179).
Checksums-Sha1: 
 1c6f1a576a2dd6a202ebc83cff755a18c914cd75 2597 proftpd-dfsg_1.3.4a-5+deb7u1.dsc
 3ba91faf3d8cb6132053f4139f2ea75afda2b602 7454087 proftpd-dfsg_1.3.4a.orig.tar.gz
 2ad0e79247ec139da226a95ae0ad39f475722c8c 100824 proftpd-dfsg_1.3.4a-5+deb7u1.debian.tar.gz
 5c3cb69629de8dda892c3b5764e267687d298bc8 2556076 proftpd-basic_1.3.4a-5+deb7u1_amd64.deb
 fb26dfcdc225903f04eda3db85f01cc2d7f0c217 1008848 proftpd-dev_1.3.4a-5+deb7u1_amd64.deb
 240d50331abc3554519b21641c466084a6ca4f4b 400416 proftpd-mod-mysql_1.3.4a-5+deb7u1_amd64.deb
 1c16360aad98812e3bf61759c12d4553b3ff6c5a 400054 proftpd-mod-pgsql_1.3.4a-5+deb7u1_amd64.deb
 71885ab0ea8a6c9ee156d3452bde7db78c1ec377 409462 proftpd-mod-ldap_1.3.4a-5+deb7u1_amd64.deb
 2045be8601f7b8d778a59377644599b226b10bd2 401570 proftpd-mod-odbc_1.3.4a-5+deb7u1_amd64.deb
 1ca3a30e2326a487ca44af86c6d17e3c7853e8f5 399328 proftpd-mod-sqlite_1.3.4a-5+deb7u1_amd64.deb
 d9c5511e7dfa0da78fc0ab6960e3c29186708bc6 1610074 proftpd-doc_1.3.4a-5+deb7u1_all.deb
Checksums-Sha256: 
 7b165975012b3f69b40785bf4d84be82584cfcd34952894702e840c7919d71d6 2597 proftpd-dfsg_1.3.4a-5+deb7u1.dsc
 2068f55e5243a334dbe2f6e3dbb214f8f2be1c7ae3313573b8cd5a77530cdfda 7454087 proftpd-dfsg_1.3.4a.orig.tar.gz
 603daff5faeee1e14c778122a9f959fd12d277fb180c5b5962dff4ef4d07591d 100824 proftpd-dfsg_1.3.4a-5+deb7u1.debian.tar.gz
 c545d70413794ab3e5ff90a214ba0745cd1bf298b4b903235b2ce4ccb87fe43a 2556076 proftpd-basic_1.3.4a-5+deb7u1_amd64.deb
 edf3f06c8500729df593bd7829c439c7bf484f38fa80025afd4c29b5f07dec19 1008848 proftpd-dev_1.3.4a-5+deb7u1_amd64.deb
 6da8710de840fcf54b6c59ecf6506f2c5848bcf62f31755c2ba6b97e5969eda7 400416 proftpd-mod-mysql_1.3.4a-5+deb7u1_amd64.deb
 68f57d86300591ff4f87a05ed85a25b6aa627019f9590cebdd7be26c4594e19f 400054 proftpd-mod-pgsql_1.3.4a-5+deb7u1_amd64.deb
 969536d9820d3fcb329d19aaa192984d4535e08ae4c31ff2a0aa2cbe0c47e430 409462 proftpd-mod-ldap_1.3.4a-5+deb7u1_amd64.deb
 b1587ba90b2ce79c77167771ec4fcd7abfa7c7c004ec0ed5c4e0ee47b127ac3d 401570 proftpd-mod-odbc_1.3.4a-5+deb7u1_amd64.deb
 3e09de642c79caf57d2a2acc365e86af92857f2a58c18c604ef78823fb8d613e 399328 proftpd-mod-sqlite_1.3.4a-5+deb7u1_amd64.deb
 f67b985cae631e3b66db10da83e24338a1d26e76c4fc2b7a0e36dc18fb370fa6 1610074 proftpd-doc_1.3.4a-5+deb7u1_all.deb
Files: 
 ce3870b1abdb8508fb4af08219db2983 2597 net optional proftpd-dfsg_1.3.4a-5+deb7u1.dsc
 5a5959f9092cb08144538e85d63f6b52 7454087 net optional proftpd-dfsg_1.3.4a.orig.tar.gz
 192fb102dbeb5de3133737bf6f0200e5 100824 net optional proftpd-dfsg_1.3.4a-5+deb7u1.debian.tar.gz
 4c78b53d51760686fcbda2abfaece72e 2556076 net optional proftpd-basic_1.3.4a-5+deb7u1_amd64.deb
 ef928da6f91dd5a0e8b92bac296f9748 1008848 net optional proftpd-dev_1.3.4a-5+deb7u1_amd64.deb
 8751880dcbdb7d3121797d264a4396b3 400416 net optional proftpd-mod-mysql_1.3.4a-5+deb7u1_amd64.deb
 d989c89054af958fdd9e3bdd7236ebd1 400054 net optional proftpd-mod-pgsql_1.3.4a-5+deb7u1_amd64.deb
 f19f235c9bb3b5e1f6f19c33ed410956 409462 net optional proftpd-mod-ldap_1.3.4a-5+deb7u1_amd64.deb
 91973a83130e2fabe418ccbae4816ab8 401570 net optional proftpd-mod-odbc_1.3.4a-5+deb7u1_amd64.deb
 4e9df5aba0b7cd6a5c2d1a5aebd7eeb0 399328 net optional proftpd-mod-sqlite_1.3.4a-5+deb7u1_amd64.deb
 fd760b960e1b53dc8e62e794ba2db99c 1610074 doc optional proftpd-doc_1.3.4a-5+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSRzA9AAoJEM1LKvOgoKqqmNsQAJjZyU/ic8li+aCjPUP97tnF
WT8z4A76xOBpDs+UXQuyxpJA+oI6mXCed8N4oZ4hCyVyu6rhXAP3s7Hpc0nSYteq
YlfnnLMI4BLqGrH0FKqyLzAzVvr9fFLKyj/9A6js2fcksxuJuNCMrnHy+50Y9AI7
UBHzRKCB0gyQS34xSHOOmD3KsjXnEr9vTOrV0A66EgPhG+UIbLbupNGrExQown41
QPvWy4Qfbq8eWddhw32l77kWp7QnvN/9Vz0T4LE57DyhFK3zSVNGNFXTS2JVYfVM
IQidxQtDcXJTUYAxGJdcZCpyXVTaQHJLaG5gSf6UwEYdDJJO8WQbE42dQ1mWR+Sj
wzKlmPAaT3/Szeuy2sMKzwZkOFX5PfPrGDDkZT71sBEUMOnVYre2QgAYzI1lqZpA
FBAOsSPRQwm/hSWfwVWCzeoSoK4gwOXl4yPwUCc1cNiixcH5el3kZnIiSVvJBf4z
fpZDrY1qy/7DBr3PcSM7m11Zjs+HC/lGpPR9HB1dmuSUFQm0cQrWKpPOoRYRZoVP
pe5+A7SDh6wGIBrRVAsF32js0aXXbYy4d8Z1s7Dc3YDPRGZz41VMVKnX6Hs3ApBB
WOIqxHvjPjZ8OAqdv+PfTtRZK3i3DibSbu0Sy1fPlFHfHDg1wqamY6omrPMNc64M
P9GL8GxSez18L4KS8B4t
=jXWT
-----END PGP SIGNATURE-----




Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Tue, 01 Oct 2013 19:18:23 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 01 Oct 2013 19:18:23 GMT) Full text and rfc822 format available.

Message #17 received at 723179-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 723179-close@bugs.debian.org
Subject: Bug#723179: fixed in proftpd-dfsg 1.3.3a-6squeeze7
Date: Tue, 01 Oct 2013 19:17:44 +0000
Source: proftpd-dfsg
Source-Version: 1.3.3a-6squeeze7

We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated proftpd-dfsg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 28 Sep 2013 16:49:44 +0000
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite
Architecture: source amd64 all
Version: 1.3.3a-6squeeze7
Distribution: oldstable-security
Urgency: high
Maintainer: Francesco Paolo Lovergine <frankie@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
 proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
 proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
 proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
 proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
 proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
 proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
 proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 723179
Changes: 
 proftpd-dfsg (1.3.3a-6squeeze7) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix invalid pool authentication in mod_sftp/mod_sftp_pam during kbdint
     authentication leading to DoS conditions (CVE-2013-4359; Closes: #723179).
Checksums-Sha1: 
 c43d85909791021ad7d91c00522746c4394d54f0 2066 proftpd-dfsg_1.3.3a-6squeeze7.dsc
 2baa4767769a540c88580d754b067c7d70efbf7e 111688 proftpd-dfsg_1.3.3a-6squeeze7.diff.gz
 e22d152defa99ceb0357cb7112fdb77a3833f19d 2406778 proftpd-basic_1.3.3a-6squeeze7_amd64.deb
 5d3b093ea00a1ee618f9c4c000e454b9280eaada 892910 proftpd-dev_1.3.3a-6squeeze7_amd64.deb
 524377ed50dc06f81dc3c57da4fb7970d9218f7e 347456 proftpd-mod-mysql_1.3.3a-6squeeze7_amd64.deb
 1209bf9c761d348087e25efaedb5bcb363c7bfb9 347130 proftpd-mod-pgsql_1.3.3a-6squeeze7_amd64.deb
 bb4f8970f83c17c3ef4bb1cd1c89061aa2e053e6 357250 proftpd-mod-ldap_1.3.3a-6squeeze7_amd64.deb
 b33a5e68e48b69f84a1fc24ce3fd56b0db5a0b1a 348788 proftpd-mod-odbc_1.3.3a-6squeeze7_amd64.deb
 ce1b0bf5977a1c33ab1d9c94321d1fe84b523756 346472 proftpd-mod-sqlite_1.3.3a-6squeeze7_amd64.deb
 3bd6ae9ae15865e5ae73c12caa2d2142bcad829e 1508634 proftpd-doc_1.3.3a-6squeeze7_all.deb
Checksums-Sha256: 
 879e64547f821a497c821882e9c21329767756b35a7abf3966acefba15fb72dd 2066 proftpd-dfsg_1.3.3a-6squeeze7.dsc
 e5ac992cd9c44dae15a604af55bc72395290513fbc829c17e73a7161763dcf94 111688 proftpd-dfsg_1.3.3a-6squeeze7.diff.gz
 a0d07e4d8bf67113c86af484e2b0c7ef58015a8b9df560524e843036b9eef3bb 2406778 proftpd-basic_1.3.3a-6squeeze7_amd64.deb
 f3699f232559e5f543178f2f8e80b12edb36635eaad9b9fe6049adb7c2c35d15 892910 proftpd-dev_1.3.3a-6squeeze7_amd64.deb
 b952a7a9175cf816ce6ec0455ad17796d7aa50c6a9a27aeb360c5bfa0f217be1 347456 proftpd-mod-mysql_1.3.3a-6squeeze7_amd64.deb
 38769fb10564860e83187e3f7dbf9ccc9512ff8f8e8b376fa6af4cb88f74531a 347130 proftpd-mod-pgsql_1.3.3a-6squeeze7_amd64.deb
 ee1b903ef72715aa81e3a377e34dc9b7b55c9ccfae002b24b91eefc284646f02 357250 proftpd-mod-ldap_1.3.3a-6squeeze7_amd64.deb
 32d1610ce90633c3cfc7c610ac7e9616c6f198f90c1045c45712ba1c5e5c97ac 348788 proftpd-mod-odbc_1.3.3a-6squeeze7_amd64.deb
 4f0c4387777cd96f7ac1fd4e0982751802f3e652464ae4253b4418c42962d8d6 346472 proftpd-mod-sqlite_1.3.3a-6squeeze7_amd64.deb
 91b53aced6c9fd94d96178dabcbbb8310135898137d40d0b554dcecb07466fc4 1508634 proftpd-doc_1.3.3a-6squeeze7_all.deb
Files: 
 123e85cf26fbf0ef699682669cec7f07 2066 net optional proftpd-dfsg_1.3.3a-6squeeze7.dsc
 971b408686eff4d643810a3160dec2a6 111688 net optional proftpd-dfsg_1.3.3a-6squeeze7.diff.gz
 d7f23106f85e2abf0cdfe10bed83ab54 2406778 net optional proftpd-basic_1.3.3a-6squeeze7_amd64.deb
 0465b6afc6a49209aaa542f80cf12232 892910 net optional proftpd-dev_1.3.3a-6squeeze7_amd64.deb
 e9d522f80dd7c090de4fb8561b08074a 347456 net optional proftpd-mod-mysql_1.3.3a-6squeeze7_amd64.deb
 000f46cbfe417f29d4f2cf2235fc1d60 347130 net optional proftpd-mod-pgsql_1.3.3a-6squeeze7_amd64.deb
 e01b89774a46ae4cdb0b3e42eb184d1b 357250 net optional proftpd-mod-ldap_1.3.3a-6squeeze7_amd64.deb
 174dca08d83ea777eeb68c59aae8d757 348788 net optional proftpd-mod-odbc_1.3.3a-6squeeze7_amd64.deb
 3f5a546934bd085e1b77b77cb4cd95c9 346472 net optional proftpd-mod-sqlite_1.3.3a-6squeeze7_amd64.deb
 53aff8b046dfec3ac5f20b8409751d38 1508634 doc optional proftpd-doc_1.3.3a-6squeeze7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSRw0MAAoJEM1LKvOgoKqqolMP/1qegz1ykK2vs2P6J/LYdWXj
c2PSTsvho2HLmKYSe273IXGSqm89CAMf+oKXMb9vB282XJojDlpb8I5rmcXJuDln
LPLX2vzHlbxGAWlS3u3hjLkj6jsWCCKNf5EUqaW7HhtPnYAVLOjztGI5RIVCo+18
Qj7Ju+hHNulGw9HTwEHNWzIUoWPRETGXONEDDb7cPhhPmJjeJFsrCkD7vz4LUdPM
wX6h2qgJQGLTTFU/2DzPlE8mF1JBaxqTeUe++B2RIEfToElnTG867Cb6QPMmaj6L
cKexX+eh6PXY3yH680vPvlkhV+7cmWYnwqbCFcTcNZUSgCZ/x+1EU8DhRDOHLCGV
tAMcS4kc2hn8dsOO/3Qy1Ss7E745DUNPDKQMiXEMoWsxokcgfU7RHmM2B4gvvL/f
A/QVw9nq1b2VEttcJoLmzuPLEjwAbwhdB3/xAzXXAIrCTO9d4XW7AU0iqHq/XV5H
9w6nlJc3C9praGlo0+TZGdnPnZSNvjE2kTwDcPs+8RFsBzrnWRUqCJ2Uy0d1MXcR
45jXYIs/ZkeVX41DFyXMJXd+tArDTOse30GOA69xHfjpKH11RkiHoIIuKEQajD+M
/8RBDX6SWSzDqatt1zKsvd41QHpuTEXJxuuVugXpRT4/bZ2eaZuD6OOYanuKLMJq
Ls4YGaTHseIQ5Yw8igmX
=aadv
-----END PGP SIGNATURE-----




Set Bug forwarded-to-address to 'http://bugs.proftpd.org/show_bug.cgi?id=3973'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 03 Oct 2013 21:33:04 GMT) Full text and rfc822 format available.

Added tag(s) pending and patch. Request was from Salvatore Bonaccorso <carnil@debian.org> to 699647-submit@bugs.debian.org. (Sat, 05 Oct 2013 13:27:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#723179; Package proftpd-dfsg. (Sat, 05 Oct 2013 13:27:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>. (Sat, 05 Oct 2013 13:27:09 GMT) Full text and rfc822 format available.

Message #26 received at 723179@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 699647@bugs.debian.org, 723179@bugs.debian.org
Subject: proftpd-dfsg: diff for NMU version 1.3.5~rc3-2.1
Date: Sat, 5 Oct 2013 15:25:29 +0200
[Message part 1 (text/plain, inline)]
Control: tags 699647 + pending
Control: tags 723179 + pending patch

Dear maintainer,

I've prepared an NMU for proftpd-dfsg (versioned as 1.3.5~rc3-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
[proftpd-dfsg-1.3.5~rc3-2.1-nmu.diff (text/x-diff, attachment)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Mon, 07 Oct 2013 13:51:15 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 07 Oct 2013 13:51:15 GMT) Full text and rfc822 format available.

Message #31 received at 723179-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 723179-close@bugs.debian.org
Subject: Bug#723179: fixed in proftpd-dfsg 1.3.5~rc3-2.1
Date: Mon, 07 Oct 2013 13:49:43 +0000
Source: proftpd-dfsg
Source-Version: 1.3.5~rc3-2.1

We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 723179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated proftpd-dfsg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 05 Oct 2013 14:51:36 +0200
Source: proftpd-dfsg
Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite proftpd-mod-geoip
Architecture: source amd64 all
Version: 1.3.5~rc3-2.1
Distribution: unstable
Urgency: low
Maintainer: ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
 proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
 proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
 proftpd-mod-geoip - Versatile, virtual-hosting FTP daemon - GeoIP module
 proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
 proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
 proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
 proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
 proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
Closes: 699647 723179
Changes: 
 proftpd-dfsg (1.3.5~rc3-2.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Add CVE-2013-4359.patch patch.
     CVE-2013-4359: Fix invalid pool authentication in mod_sftp/mod_sftp_pam
     during kbdint authentication leading to DoS conditions. (Closes: #723179)
   * Correct Breaks and Replaces on proftpd-mod-geoip package.
     The old proftpd-mod-geoip addon module is now obsoleted by core proftpd.
     Adjusted the Breaks/Replaces to 1.3.5~rc1-1 which introduced the geoip
     module in proftpd core.
     Thanks to Andreas Beckmann <anbe@debian.org> (Closes: #699647)
Checksums-Sha1: 
 be6e61e65a1b1aac9ad1d29ba39a1e30c23cae30 2715 proftpd-dfsg_1.3.5~rc3-2.1.dsc
 74e332caaa4ecf68cfe2f91afdb9e1500965abfa 100140 proftpd-dfsg_1.3.5~rc3-2.1.debian.tar.gz
 cefebebe1ea2e364e437d325774350e4028a9237 2413432 proftpd-basic_1.3.5~rc3-2.1_amd64.deb
 a7daa6ae59733b88842808c4f9b6597149763c46 923560 proftpd-dev_1.3.5~rc3-2.1_amd64.deb
 f042b84963545d3f3566073410b57cdab7704a13 457190 proftpd-mod-mysql_1.3.5~rc3-2.1_amd64.deb
 c74ab3b4bf90e54fad2b7e6212cf5bb4079ad040 456826 proftpd-mod-pgsql_1.3.5~rc3-2.1_amd64.deb
 f51dfae22d94fb156d770290f93d14296316316e 464192 proftpd-mod-ldap_1.3.5~rc3-2.1_amd64.deb
 636fe478655668adecd7eedd9e84464875f88b9b 458104 proftpd-mod-odbc_1.3.5~rc3-2.1_amd64.deb
 1a3d06c0d2d06d2c2bd2c2505335d415e98a0ae4 456248 proftpd-mod-sqlite_1.3.5~rc3-2.1_amd64.deb
 5fe72636392d6607d935db9198e5edad3d0c77be 457524 proftpd-mod-geoip_1.3.5~rc3-2.1_amd64.deb
 4bc14def5c59c384be6f5dff912af19454b4b05d 907656 proftpd-doc_1.3.5~rc3-2.1_all.deb
Checksums-Sha256: 
 d5c4aa8c8599d8d36c44b21948213cbde37d6f885d67ee797775451d28f74d61 2715 proftpd-dfsg_1.3.5~rc3-2.1.dsc
 7b1571670bdf6979b4aa8fd22000ea01d5c03f570d1bf7b2f51271e5bd1c6c28 100140 proftpd-dfsg_1.3.5~rc3-2.1.debian.tar.gz
 243b169f35500bc15d2b524bf16cfefdef4cf3617074fc67891aa1cfcfc8d188 2413432 proftpd-basic_1.3.5~rc3-2.1_amd64.deb
 75090f80f2f12d246aa63bb66630f5661fa160f26fc897aa62052fff25d01fb3 923560 proftpd-dev_1.3.5~rc3-2.1_amd64.deb
 e05b61a5ae403d70c724a57d1532a2e5be4ef06f3e094f12a63bf6067e8d1834 457190 proftpd-mod-mysql_1.3.5~rc3-2.1_amd64.deb
 34984ea532a89a250e31d5acb52c130e8cef3a4b393df1d97fbb13720c629e50 456826 proftpd-mod-pgsql_1.3.5~rc3-2.1_amd64.deb
 44a3ce2d09144ba787a65dd7bececfff13b150e9fdd171ca08001d39970d5b06 464192 proftpd-mod-ldap_1.3.5~rc3-2.1_amd64.deb
 f5509477f592e63db7a4e01beed6f788853771904686e1f851eb04de377877d9 458104 proftpd-mod-odbc_1.3.5~rc3-2.1_amd64.deb
 aa28fa2fafee955864f8947d95e2c1b2424fdc0c4bb8deaa1734e34793db174e 456248 proftpd-mod-sqlite_1.3.5~rc3-2.1_amd64.deb
 f4e72dab622e4cd3140356287ead7852c35a10b743f932a7f92c891a2d7116eb 457524 proftpd-mod-geoip_1.3.5~rc3-2.1_amd64.deb
 0ef6e47054778b4f1498fef933f05261cbf8cb618dff11bb2e516cd113becdba 907656 proftpd-doc_1.3.5~rc3-2.1_all.deb
Files: 
 53a49f6b43f5725757bee6b04c681fdd 2715 net optional proftpd-dfsg_1.3.5~rc3-2.1.dsc
 1bf0b6da7675593c58721b4b8dda0f79 100140 net optional proftpd-dfsg_1.3.5~rc3-2.1.debian.tar.gz
 65ef9bf6e530d34da39d5cf942e063a1 2413432 net optional proftpd-basic_1.3.5~rc3-2.1_amd64.deb
 1434461da4980e31ee7daaf58f355732 923560 net optional proftpd-dev_1.3.5~rc3-2.1_amd64.deb
 57ef68dd8eb31a6aafece597a8bfb5af 457190 net optional proftpd-mod-mysql_1.3.5~rc3-2.1_amd64.deb
 2aaed936bb51b15cae3016fe939ff853 456826 net optional proftpd-mod-pgsql_1.3.5~rc3-2.1_amd64.deb
 a88d9cabc71106e573ccb8efd3c5735b 464192 net optional proftpd-mod-ldap_1.3.5~rc3-2.1_amd64.deb
 f55d77b9ad5a84c93d2a3a490e7ab752 458104 net optional proftpd-mod-odbc_1.3.5~rc3-2.1_amd64.deb
 fff2299a8911636af035b6abbb0af765 456248 net optional proftpd-mod-sqlite_1.3.5~rc3-2.1_amd64.deb
 1fd41f0a4ee0b106be74f856e8e36676 457524 net optional proftpd-mod-geoip_1.3.5~rc3-2.1_amd64.deb
 7c355efbf24c0e0135ccd28a9363f484 907656 doc optional proftpd-doc_1.3.5~rc3-2.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCgAGBQJSUA5+AAoJEHidbwV/2GP+wPoQAPA59nlTTsTVMnPY+tyQ+Twt
7nqa7rDh6G3GgUhKcfbe7yEof1PF9tbfI+u8eLaCHlpVYlNgFG2bkEF4M6c36Vk+
kOnd6AyQLsLRzbp8BjKXBmEBR1YSksBdIENdNSQjsY4izBtCGqYMO2nQu4uDGn/5
GUF2M1sx8PseDTKaw8uKBBrg75SMhKiPcF84tsx7w2TVJ6a66VHAyFTRnzPaS9MQ
EceJ9FheZUeDhkxxJOKNik3jT04tHAKhQEzAERZkrKzU+TDlW5MhDTJ4/wNTknZ6
/rggCxeiA6DjVbovU0upjSszQYXHJyhjMQdVbxyZDbolF0o7/egZwAQGi9uGwRSb
+vihwLrDvKlCcD5TCecnqQEtXORQ15sm4tgHwTPRqGJ3e5ugMo7JJpsgPImyTGvn
8k038Bq4u2kJelfgpUgVcpDTGeEoCKGLCU3g00CnPKLZmCarp9NCbg5R8ReyTDXj
GXCFoV2BDYW2Hy6JShO/2eLs7G1MIngo8vCumMsop+89DFD4DyVCKYK096v+nXTG
ahAWqk+TRetsHRKfPMW0PNbWa3nkVbYQGXWdtt3UboHh357RcxBHywbg8g2yz3d9
FUzkO5i5mJ302RDh4BNhc9db/8U371og4yATQxV0j52gNaxMtdwQgrbgJ2XNih3e
hdjujDUXpdBuaPxoZE5o
=7ByE
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 07 Nov 2013 07:31:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:56:29 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.