Vincent Bernat a écrit : > proftpd in Sarge is vulnerable to a format string vulnerability. The > corresponding bug is marked as fixed in 1.2.10-20 and found in > 1.2.10-15 (which is the Sarge version). This means that the Sarge > version is still vulnerable.
Indeed, sarge proftpd (1.2.10-15) is vulnerable to the 2 recent format string vulnerabilities [1,2], but testing proftpd (1.2.10-20) is not not [3] [1] SQLShowInfo format string vulnerability http://bugs.proftpd.org/show_bug.cgi?id=2645 [2] ftpshut format string vulnerability http://bugs.proftpd.org/show_bug.cgi?id=2646 [3] Debian Changelog proftpd (1.2.10-20) http://packages.debian.org/changelogs/pool/main/p/proftpd/proftpd_1.2.10-20/changelog > However, the bug is closed and not tagged security. I guess it's a mistake, even for low-risk vulnerabilities > Should this bug be reopened and tagged security ? vote: +1 > Will a new upload by handled by security team shortly ? I hope so. Ch. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]