[Secure-testing-team] Re: proftpd, low impact DoS bug
Moritz Muehlenhoff
jmm at inutil.org
Tue Nov 28 22:43:52 CET 2006
Francesco P. Lovergine wrote:
> we need to properly fix the issue, a wrong patch was around (basically
> the same 'fixed' by other vendors) so I'm preparing both a sid and sarge
> package...
We have two different issues here:
A denial of service vulnerability discovered by Ralf Engelschall. That's
what we've fixed so far. It's tracked as CVE-2006-5815 by several
distributions by now. Although it's not suitable for code injection, it's
still a DoS vulnerability.
The sreplace() issue. I'm seeing that mod_tls is referenced in the
debian/rules as EXTRAMODS, getting linked in the pam target. Does this
mean mod_tls support is enabled in the stock 1.2 package from Sarge?
Cheers,
Moritz
More information about the Secure-testing-team
mailing list