DSA 1727-1: New proftpd-dfsg packages fix SQL injection vulnerabilites
Posted on: 02/26/2009 09:45 AM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1727-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
February 26th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : proftpd-dfsg
Vulnerability : SQL injection vulnerabilites
Problem type : remote
Debian-specific: no
CVE Ids : CVE-2009-0542 CVE-2009-0543

Two SQL injection vulnerabilities have been found in proftpd, a
virtual-hosting FTP daemon. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2009-0542

Shino discovered that proftpd is prone to an SQL injection
vulnerability via the use of certain characters in the username.

CVE-2009-0543

TJ Saunders discovered that proftpd is prone to an SQL injection
vulnerability due to insufficient escaping mechanisms, when
multybite character encodings are used.

For the stable distribution (lenny), these problems have been fixed in
version 1.3.1-17lenny1.

For the oldstable distribution (etch), these problems will be fixed
soon.

For the testing distribution (squeeze), these problems will be fixed
soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.3.2-1.

We recommend that you upgrade your proftpd-dfsg package.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.dsc
Size/MD5 checksum: 1348 bb4118976a78b6eef4356123b4e322da
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny1.diff.gz
Size/MD5 checksum: 102388 7873fdab33c5e044dce721300d496d7e
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz
Size/MD5 checksum: 2662056 da40b14c5b8ec5467505c98b4ee4b7b9

Architecture independent components:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny1_all.deb
Size/MD5 checksum: 1256300 f0e73bd54793839c802b3c3ce85bb123
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny1_all.deb
Size/MD5 checksum: 194896 cda6edb78e4a5ab9c8a90cfdaeb19b32

AMD64 architecture:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_amd64.deb
Size/MD5 checksum: 744914 4c09f5af5f825f0c068f3dce4a1c7a84
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_amd64.deb
Size/MD5 checksum: 214334 eb8f6f56afda836f85f6d808a6086c6a
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_amd64.deb
Size/MD5 checksum: 203878 8d13ce2c0d2c15eec496d3e014aa1ea3
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_amd64.deb
Size/MD5 checksum: 203902 ce74fcf7e0f082fcf4454120e984a0c3

ARM architecture:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_arm.deb
Size/MD5 checksum: 696884 cab353aa755852b2c07916f234268e39
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_arm.deb
Size/MD5 checksum: 213832 faad0df7dab14fdca108c6370ae3edf0
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_arm.deb
Size/MD5 checksum: 203260 3940f22df22db3ce6a3644a22b68e82b
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_arm.deb
Size/MD5 checksum: 203448 35f6cb99d5f9886d74a8a1e72df36a2d

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_i386.deb
Size/MD5 checksum: 688540 bdcbe2b33ed58bf474824c4639dcfb99
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_i386.deb
Size/MD5 checksum: 212208 bcb4bce6c950fe4fd416fcf9e97b79f6
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_i386.deb
Size/MD5 checksum: 203074 55e8334da716aeb8efe43803c8f71d00
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_i386.deb
Size/MD5 checksum: 203054 189e02b962d043af8bbb0b29ac61e881

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_ia64.deb
Size/MD5 checksum: 980498 6129efd03c600138d89d341dfd2b9641
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_ia64.deb
Size/MD5 checksum: 221974 3aea4ff6d0dd4729a901a21ddfefe18c
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_ia64.deb
Size/MD5 checksum: 207238 2670aca7f909b86c6b567e2a1ac44917
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_ia64.deb
Size/MD5 checksum: 207126 9f52b57603c3d47c354edb2c460e0aa1

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_mips.deb
Size/MD5 checksum: 691342 6d88d7863198638c168ac1de05d5cb49
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_mips.deb
Size/MD5 checksum: 212038 d1e82db5072e2f62f5f84e2daf86f978
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_mips.deb
Size/MD5 checksum: 203104 f59921ea889ce268bdf36d54285ae3ed
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_mips.deb
Size/MD5 checksum: 203032 89a9deeecb78e593cd2499c6b5bdcff1

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_mipsel.deb
Size/MD5 checksum: 688780 041668e9d855af2d5b6c010a783e66bc
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_mipsel.deb
Size/MD5 checksum: 211596 b8c5e6fa91a952ecb304610d42b7819d
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_mipsel.deb
Size/MD5 checksum: 203172 32c0cd6a98215dc943b35354b999041a
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_mipsel.deb
Size/MD5 checksum: 203064 72cad0d3aea5aaef1535294da306f989

PowerPC architecture:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_powerpc.deb
Size/MD5 checksum: 776798 0bdd119672b2ce4a57229f791e4740a5
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_powerpc.deb
Size/MD5 checksum: 218006 e3ca91a5e057086a28ee00d698505171
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_powerpc.deb
Size/MD5 checksum: 205758 75db9214e07ca88a71371731d3b445d7
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_powerpc.deb
Size/MD5 checksum: 205942 c1ae0f701446f8e71b58d51f9cbdd31b

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_s390.deb
Size/MD5 checksum: 739296 3297f0d1b3add5d9b34ffddbfb192c0b
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_s390.deb
Size/MD5 checksum: 214182 2ee7910d17befa48c491e3303f825d6a
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_s390.deb
Size/MD5 checksum: 204150 2c7622b4ba0a1fce7ac5c862be2d7163
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_s390.deb
Size/MD5 checksum: 204266 be2aac143d55ad96c1a705712998947c

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny1_sparc.deb
Size/MD5 checksum: 701314 7d15073aba40282034905f0b98537fbf
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny1_sparc.deb
Size/MD5 checksum: 213518 a5ae26d4877378b69350a780d91a20f9
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny1_sparc.deb
Size/MD5 checksum: 203274 ac2e2659e6865eefc9b92be8d74f75b9
http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny1_sparc.deb
Size/MD5 checksum: 203550 83e40d59d94f86ddd761f5c93df0e945


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJplHOW5ql+IAeqTIRAtgEAKCzWrcMOwYY3OFt3nyvr8PLU8uFZACgsWRY
d2Eqc9UdqKrHYaKNbRFEkwM=
=Cxa4
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1727_1_new_proftpd_dfsg_packages_fix_sql_injection_vulnerabilites.html)