[Bug 508738] Re: proftpd sql injection
Launchpad Bug Tracker
508738 at bugs.launchpad.net
Wed Jan 20 23:03:27 UTC 2010
This bug was fixed in the package proftpd-dfsg - 1.3.1-17ubuntu1.1
---------------
proftpd-dfsg (1.3.1-17ubuntu1.1) jaunty-security; urgency=low
* Security: added 3124.dpatch patch to manage another SQL injection due to %
variable substitution in user/group names. This is fixed in 1.3.2. This is
CVE-2009-0542. (LP: #508738)
* Security: added 3173fix.dpatch to use PQescapeStringConn() instead of the
deprecated PQescapeString(), which does not honour the encoding.
This is referred to the previous fix of #3173 aka CVE-2009-0543.
* Security: added 3275.dpatch as taken from 1.3.2b branch to fix
CVE-2009-3639.
-- Jan Hagemeyer <janhg at et.uni-paderborn.de> Tue, 19 Jan 2010 19:14:30 +0100
** Changed in: proftpd-dfsg (Ubuntu Jaunty)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0542
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0543
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-3639
--
proftpd sql injection
https://bugs.launchpad.net/bugs/508738
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list