Debian Security Advisory
DSA-1925-1 proftpd-dfsg -- insufficient input validation
- Date Reported:
- 31 Oct 2009
- Affected Packages:
- proftpd-dfsg
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2009-3639.
- More information:
-
It has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, when the dNSNameRequired TLS option is enabled.
For the stable distribution (lenny), this problem has been fixed in version 1.3.1-17lenny4.
For the oldstable distribution (etch), this problem has been fixed in version 1.3.0-19etch3.
Binaries for the amd64 architecture will be released once they are available.
For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.3.2a-2.
We recommend that you upgrade your proftpd-dfsg packages.
- Fixed in:
-
Debian GNU/Linux 4.0 (etch)
- Source:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch3.tar.gz
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch3.dsc
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch3.dsc
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mysql_1.3.0-19etch3_all.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-ldap_1.3.0-19etch3_all.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-pgsql_1.3.0-19etch3_all.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.0-19etch3_all.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-ldap_1.3.0-19etch3_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_arm.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_mips.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_mipsel.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_sparc.deb
Debian GNU/Linux 5.0 (lenny)
- Source:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny4.dsc
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny4.diff.gz
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny4.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny4_all.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny4_all.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny4_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_alpha.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_arm.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_arm.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_arm.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_arm.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_arm.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_armel.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_armel.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_armel.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_armel.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_armel.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_hppa.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_hppa.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_hppa.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_hppa.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_i386.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_i386.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_i386.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_i386.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_ia64.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_ia64.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_ia64.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_ia64.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_mips.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_mips.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_mips.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_mips.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_mips.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_mipsel.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_mipsel.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_mipsel.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_mipsel.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_mipsel.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_sparc.deb
- http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_sparc.deb
MD5 checksums of the listed files are available in the original advisory.