-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1727-1 security@xxxxxxxxxx http://www.debian.org/security/ Steffen Joeris February 26th, 2009 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : proftpd-dfsg Vulnerability : SQL injection vulnerabilites Problem type : remote Debian-specific: no CVE Ids : CVE-2009-0542 CVE-2009-0543 Two SQL injection vulnerabilities have been found in proftpd, a virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0542 Shino discovered that proftpd is prone to an SQL injection vulnerability via the use of certain characters in the username. CVE-2009-0543 TJ Saunders discovered that proftpd is prone to an SQL injection vulnerability due to insufficient escaping mechanisms, when multybite character encodings are used. For the stable distribution (lenny), these problems have been fixed in version 1.3.1-17lenny1. For the oldstable distribution (etch), these problems will be fixed soon. For the testing distribution (squeeze), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 1.3.2-1. We recommend that you upgrade your proftpd-dfsg package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.dsc Size/MD5 checksum: 1348 bb4118976a78b6eef4356123b4e322da http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.diff.gz Size/MD5 checksum: 102388 7873fdab33c5e044dce721300d496d7e http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz Size/MD5 checksum: 2662056 da40b14c5b8ec5467505c98b4ee4b7b9 Architecture independent components: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny1_all.deb Size/MD5 checksum: 1256300 f0e73bd54793839c802b3c3ce85bb123 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny1_all.deb Size/MD5 checksum: 194896 cda6edb78e4a5ab9c8a90cfdaeb19b32 AMD64 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 744914 4c09f5af5f825f0c068f3dce4a1c7a84 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 214334 eb8f6f56afda836f85f6d808a6086c6a http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 203878 8d13ce2c0d2c15eec496d3e014aa1ea3 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_amd64.deb Size/MD5 checksum: 203902 ce74fcf7e0f082fcf4454120e984a0c3 ARM architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 696884 cab353aa755852b2c07916f234268e39 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 213832 faad0df7dab14fdca108c6370ae3edf0 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 203260 3940f22df22db3ce6a3644a22b68e82b http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_arm.deb Size/MD5 checksum: 203448 35f6cb99d5f9886d74a8a1e72df36a2d Intel IA-32 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 688540 bdcbe2b33ed58bf474824c4639dcfb99 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 212208 bcb4bce6c950fe4fd416fcf9e97b79f6 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 203074 55e8334da716aeb8efe43803c8f71d00 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_i386.deb Size/MD5 checksum: 203054 189e02b962d043af8bbb0b29ac61e881 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_ia64.deb Size/MD5 checksum: 980498 6129efd03c600138d89d341dfd2b9641 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_ia64.deb Size/MD5 checksum: 221974 3aea4ff6d0dd4729a901a21ddfefe18c http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_ia64.deb Size/MD5 checksum: 207238 2670aca7f909b86c6b567e2a1ac44917 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_ia64.deb Size/MD5 checksum: 207126 9f52b57603c3d47c354edb2c460e0aa1 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_mips.deb Size/MD5 checksum: 691342 6d88d7863198638c168ac1de05d5cb49 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_mips.deb Size/MD5 checksum: 212038 d1e82db5072e2f62f5f84e2daf86f978 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_mips.deb Size/MD5 checksum: 203104 f59921ea889ce268bdf36d54285ae3ed http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_mips.deb Size/MD5 checksum: 203032 89a9deeecb78e593cd2499c6b5bdcff1 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_mipsel.deb Size/MD5 checksum: 688780 041668e9d855af2d5b6c010a783e66bc http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_mipsel.deb Size/MD5 checksum: 211596 b8c5e6fa91a952ecb304610d42b7819d http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_mipsel.deb Size/MD5 checksum: 203172 32c0cd6a98215dc943b35354b999041a http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_mipsel.deb Size/MD5 checksum: 203064 72cad0d3aea5aaef1535294da306f989 PowerPC architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_powerpc.deb Size/MD5 checksum: 776798 0bdd119672b2ce4a57229f791e4740a5 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_powerpc.deb Size/MD5 checksum: 218006 e3ca91a5e057086a28ee00d698505171 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_powerpc.deb Size/MD5 checksum: 205758 75db9214e07ca88a71371731d3b445d7 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_powerpc.deb Size/MD5 checksum: 205942 c1ae0f701446f8e71b58d51f9cbdd31b IBM S/390 architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_s390.deb Size/MD5 checksum: 739296 3297f0d1b3add5d9b34ffddbfb192c0b http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_s390.deb Size/MD5 checksum: 214182 2ee7910d17befa48c491e3303f825d6a http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_s390.deb Size/MD5 checksum: 204150 2c7622b4ba0a1fce7ac5c862be2d7163 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_s390.deb Size/MD5 checksum: 204266 be2aac143d55ad96c1a705712998947c Sun Sparc architecture: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_sparc.deb Size/MD5 checksum: 701314 7d15073aba40282034905f0b98537fbf http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_sparc.deb Size/MD5 checksum: 213518 a5ae26d4877378b69350a780d91a20f9 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_sparc.deb Size/MD5 checksum: 203274 ac2e2659e6865eefc9b92be8d74f75b9 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_sparc.deb Size/MD5 checksum: 203550 83e40d59d94f86ddd761f5c93df0e945 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJplHOW5ql+IAeqTIRAtgEAKCzWrcMOwYY3OFt3nyvr8PLU8uFZACgsWRY d2Eqc9UdqKrHYaKNbRFEkwM= =Cxa4 -----END PGP SIGNATURE-----