Re: CVE request for proftpd

[Vincent Danen <vdanen () redhat com>]

* [2009-02-11 10:58:05 -0800] TJ Saunders wrote:

> > An SQL injection vulnerability in proftpd was reported on bugtraq
> > yesterday that could allow a user to login to proftpd with any password
> > if they use mysql for authentication (and, presumably, postgresql).
> >
> > References:
> >
> > http://www.securityfocus.com/archive/1/500823/30/0/threaded
> > http://bugs.gentoo.org/show_bug.cgi?id=258450
> > http://bugs.proftpd.org/show_bug.cgi?id=3180
> > https://bugzilla.redhat.com/show_bug.cgi?id=485125
>
> This has been reported on the ProFTPD Bugzilla:
>
>  http://bugs.proftpd.org/show_bug.cgi?id=3180

Yeah, I noted that above.  =)

> As discussed there, this is a duplicate of an earlier bug:
>
>  http://bugs.proftpd.org/show_bug.cgi?id=3124
>
> and has been fixed in ProFTPD 1.3.2rc3 and later.

Thanks, TJ.  I just read the comments and the duplicate note a few
minutes ago and was going to reply to it.

We still need a CVE name, however.  Bug #3124 does not note any kind of
security impact, which there clearly is, so I don't believe a CVE name
had been assigned to this previously (at least not that I could find).

--
Vincent Danen / Red Hat Security Response Team