[debug]

Date: Tue, 23 Sep 2003 07:46:01 -0700 (PDT)
From: TJ Saunders
To: proftp-announce@lists.sourceforge.net
Cc: proftp-devel@lists.sourceforge.net, proftp-user@lists.sourceforge.net
Subject: [Proftpd-user] ProFTPD Remote Exploit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, ProFTPD community. The ProFTPD Project team must make the
following announcement:

X-Force Research at ISS (www.iss.net) has discovered a bug in ProFTPD's
handling of ASCII translation. An attacker, by downloading a carefully
crafted file, can remotely exploit this bug to create a root shell:

http://xforce.iss.net/xforce/alerts/id/154

The source distributions on the project FTP server have been replaced
with patched versions (hence the 'p' in the filenames); the MD5
checksums and PGP signatures for these patched distributions are listed
below. The old RPMs have been deleted, and new RPMs provided. All
snapshots have been removed from the server.

All ProFTPD users are strongly encouraged to upgrade to one of these
distributions as soon as possible.

The ProFTPD Project team would like to heartily thank the X-Force
engineers for the responsible and professional way in which they
reported the vulnerability, and worked with the ProFTPD Project team to
address this issue.

The patched distributions, including PGP signatures and MD5 sums, will
soon be available from any of the proftpd mirrors. Mirrors are
available via FTP as:

ftp..proftpd.org

(example: ftp.nl.proftpd.org). Not all countries have mirrors;
however you should select one that is geographically close to you.



--
A quoi bon soulever des montagnes quand il est si simple de passer par dessus ?
Ecrivain surréaliste français [ Boris Vian ]