From nobody@FreeBSD.org  Wed Nov 29 11:29:08 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id CF5A316A403
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 29 Nov 2006 11:29:08 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4A93243CAA
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 29 Nov 2006 11:29:07 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id kATBT7ft028926
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 29 Nov 2006 11:29:07 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id kATBT7w4028925;
	Wed, 29 Nov 2006 11:29:07 GMT
	(envelope-from nobody)
Message-Id: <200611291129.kATBT7w4028925@www.freebsd.org>
Date: Wed, 29 Nov 2006 11:29:07 GMT
From: Matus UHLAR - fantomas<uhlar@fantomas.sk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: proftpd security bugs
X-Send-Pr-Version: www-3.0

>Number:         106007
>Category:       ports
>Synopsis:       proftpd security bugs
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    delphij
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 29 11:30:14 GMT 2006
>Closed-Date:    Tue Dec 12 17:27:52 GMT 2006
>Last-Modified:  Tue Dec 12 17:27:52 GMT 2006
>Originator:     Matus UHLAR - fantomas
>Release:        4.11
>Organization:
GTS Nextra a.s.
>Environment:
FreeBSD w01 4.11-RELEASE-p18 FreeBSD 4.11-RELEASE-p18 #7: Fri Jun  2 10:25:29 CEST 2006     root@w01:/shared1/rw/os/FreeBSD/i386/obj/RELENG_4_11/shared1/rw/os/FreeBSD/i386/src/RELENG_4_11/sys/i686_SP  i386

>Description:
two ProFTPD bugs were reported in last time (except the one fixed in bug 105510):

http://secunia.com/advisories/22803/
ProFTPD "sreplace()" Buffer Overflow Vulnerability
- http://bugs.proftpd.org/show_bug.cgi?id=2858
- ProFTP 1.0.3a was released due to this error

http://secunia.com/advisories/23141/
ProFTPD mod_tls Buffer Overflow Vulnerability
- http://bugs.proftpd.org/show_bug.cgi?id=2860
>How-To-Repeat:

>Fix:
first can be fixed by using patch
http://proftp.cvs.sourceforge.net/proftp/proftpd/src/support.c?r1=1.78&r2=1.80&view=patch&sortby=date
(against proftpd-1.3.0 release, not the "previous" version mentioned in proftpd bug 2858) or by upgrading to proftpd-1.3.0a

the second can be fixed by http://bugs.proftpd.org/attachment.cgi?id=2548&action=view

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Wed Nov 29 13:19:09 UTC 2006 
State-Changed-Why:  
Awaiting maintainers feedback 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106007 

From: Beech Rintoul <beech@alaskaparadise.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: ports/106007: proftpd security bugs
Date: Mon, 11 Dec 2006 15:59:56 -0900

 I just submitted the patches, this pr can be closed.
 -- 
 ---------------------------------------------------------------------------------------
 Beech Rintoul - Sys. Administrator - beech@alaskaparadise.com
 /"\   ASCII Ribbon Campaign  | Alaska Paradise Travel
 \ / - NO HTML/RTF in e-mail  | 201 East 9Th Avenue Ste.310
  X  - NO Word docs in e-mail | Anchorage, AK 99501
 / \  - Please visit Alaska Paradise - http://www.alaskaparadise.com
 ---------------------------------------------------------------------------------------
 
 
 
 
 
 
 
 
 
 
 
State-Changed-From-To: feedback->closed 
State-Changed-By: delphij 
State-Changed-When: Tue Dec 12 17:25:42 UTC 2006 
State-Changed-Why:  
Fixed in latest ports tree.  Thanks for your submission! 


Responsible-Changed-From-To: freebsd-ports-bugs->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Tue Dec 12 17:25:42 UTC 2006 
Responsible-Changed-Why:  
Superceded by ports/106623.  Take so there is someone to complain 
to :-) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106007 
>Unformatted:
