connections can be spoofed)

Debian Bug Tracking System Sun, 21 Dec 2008 03:51:44 -0800

Your message dated Sun, 21 Dec 2008 12:41:56 +0100
with message-id <[email protected]>
and subject line Fixed by bpo, so closing.
has caused the Debian Bug report #496686,
regarding proftpd: SSL/TLS Module doesnt handel the rfc correct -> connections 
can be spoofed
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
496686: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496686
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: proftpd
Version: 1.3.0-19etch1
Severity: normal

ProFTP TLS/SSL Module does not handle the RFC 4346 correct!

So the connection can be vulnerable to spoofed FIN packets.

See the follow addresses
http://forum.filezilla-project.org/viewtopic.php?f=2&t=7688

the bug report and a fix is avalible on
http://bugs.proftpd.org/show_bug.cgi?id=2753

hope that this can fixed in the stable release!

Thanks,
Thomas

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (900, 'stable'), (90, 'testing')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.22-4-amd64
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages proftpd depends on:
ii  adduser                3.102             Add and remove users and groups
ii  debconf                1.5.11etch2       Debian configuration management sy
ii  debianutils            2.17              Miscellaneous utilities specific t
ii  libacl1                2.2.41-1          Access control list shared library
ii  libattr1               2.4.32-1          Extended attribute shared library
ii  libc6                  2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii  libldap2               2.1.30-13.3       OpenLDAP libraries
ii  libmysqlclient15off    5.0.32-7etch6     mysql database client library
ii  libncurses5            5.5-5             Shared libraries for terminal hand
ii  libpam-runtime         0.79-5            Runtime support for the PAM librar
ii  libpam0g               0.79-5            Pluggable Authentication Modules l
ii  libpq4                 8.1.11-0etch1     PostgreSQL C client library
ii  libssl0.9.8            0.9.8c-4etch3     SSL shared libraries
ii  libwrap0               7.6.dbs-13        Wietse Venema's TCP wrappers libra
ii  netbase                4.29              Basic TCP/IP networking system
ii  perl                   5.8.8-7etch3      Larry Wall's Practical Extraction 
ii  ucf                    2.0020            Update Configuration File: preserv
ii  zlib1g                 1:1.2.3-13        compression library - runtime

proftpd recommends no packages.

-- debconf information excluded

--- End Message ---

--- Begin Message ---
-- 
Francesco P. Lovergine
--- End Message ---

Bug#496686: marked as done (proftpd: SSL/TLS Module doesnt handel the rfc correct -> connections can be spoofed)

Reply via email to