-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1925-1 security@debian.org http://www.debian.org/security/ Steffen Joeris October 31, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : proftpd-dfsg Vulnerability : insufficient input validation Problem type : remote Debian-specific: no CVE Id : CVE-2009-3639 It has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, when the dNSNameRequired TLS option is enabled. For the stable distribution (lenny), this problem has been fixed in version 1.3.1-17lenny4. For the oldstable distribution (etch), this problem has been fixed in version 1.3.0-19etch3. Binaries for the amd64 architecture will be released once they are available. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.3.2a-2. We recommend that you upgrade your proftpd-dfsg packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (oldstable) - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch3.tar.gz Size/MD5 checksum: 1905969 38528feb0ffb9bd88db6f175d6020b8d http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-19etch3.dsc Size/MD5 checksum: 872 0bd9359e5bf664360be0c144225649b2 Architecture independent packages: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mysql_1.3.0-19etch3_all.deb Size/MD5 checksum: 162748 5608f61ea367720d306635309b85d6bc http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-ldap_1.3.0-19etch3_all.deb Size/MD5 checksum: 162748 e16562c92cdc0f0c344ded50f5916d36 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-pgsql_1.3.0-19etch3_all.deb Size/MD5 checksum: 162752 98b538acf18e6c6a7fedfcaab1a35dee http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.0-19etch3_all.deb Size/MD5 checksum: 492828 eb6950dbd7f5a48fea262fa373224d01 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_alpha.deb Size/MD5 checksum: 997748 b6db8df62a1a19529b8a75cd3965c61c arm architecture (ARM) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_arm.deb Size/MD5 checksum: 803396 01f586c57a9df10f764b1250182aaf4a hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_hppa.deb Size/MD5 checksum: 936038 662b6032362df105994979458344e4c5 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_i386.deb Size/MD5 checksum: 798022 44f0f80e230c4f86e12daf20129ec636 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_ia64.deb Size/MD5 checksum: 1188390 9e68db2aa07f4f477e050f961e766bd5 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_mips.deb Size/MD5 checksum: 856696 0a9f117d838b1b612d05c88ac76caed4 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_mipsel.deb Size/MD5 checksum: 856038 3b04229098a901c9b4de298443af7aff sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.0-19etch3_sparc.deb Size/MD5 checksum: 830844 08971c1104010e23c01d52b343b11f56 Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny4.dsc Size/MD5 checksum: 1349 825576201541f76cbc1dcab44bae9e61 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny4.diff.gz Size/MD5 checksum: 103691 8b4252ad95f772b66b7dd06d60a1bfa6 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1.orig.tar.gz Size/MD5 checksum: 2662056 da40b14c5b8ec5467505c98b4ee4b7b9 Architecture independent packages: http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-doc_1.3.1-17lenny4_all.deb Size/MD5 checksum: 1256500 001a1754365940758a4ec97ead34fb34 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd_1.3.1-17lenny4_all.deb Size/MD5 checksum: 195088 1951485bf96a4a688495c5ebfa050749 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_alpha.deb Size/MD5 checksum: 215366 e95e97a49984acf80828d18da59c72e9 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_alpha.deb Size/MD5 checksum: 783554 921f2efef6cc2fc8688bcbb6ca9d8b59 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_alpha.deb Size/MD5 checksum: 204746 ab8e55b37a646a496bb122e32d90b067 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_alpha.deb Size/MD5 checksum: 204640 5e3dc3781500c2c5a577e39ec4446d75 arm architecture (ARM) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_arm.deb Size/MD5 checksum: 214036 187789bcd2eb7d18e6ff207b296011db http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_arm.deb Size/MD5 checksum: 203356 c6ac828e324d4cd79675d893b2b9af4c http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_arm.deb Size/MD5 checksum: 203202 465de4f3bc6b6532208a22ba96a2a7f9 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_arm.deb Size/MD5 checksum: 699814 f463140d95df55d8cd301c567878e397 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_armel.deb Size/MD5 checksum: 213884 8b1501c1cfa5a61c6af8ca3c121dddda http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_armel.deb Size/MD5 checksum: 705542 f03e97c4a517b1b44af58eeba70d9db3 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_armel.deb Size/MD5 checksum: 203634 68c067db2619d26b9544688d1e9e7e8b http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_armel.deb Size/MD5 checksum: 203526 43efcc97292d5d0545748c6210a32689 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_hppa.deb Size/MD5 checksum: 216732 a718ff67e4b488ef3052e6a1045c89f5 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_hppa.deb Size/MD5 checksum: 764824 fe6033f5797b6a163ed8ce552eb7182a http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_hppa.deb Size/MD5 checksum: 205296 a675af7ef1807e1e7f8cdacabf28a9c9 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_hppa.deb Size/MD5 checksum: 205144 3644789a8d2e181cfdac74a2a80ac85e i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_i386.deb Size/MD5 checksum: 203274 aaebf117359a3d9da24ad44d54b92370 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_i386.deb Size/MD5 checksum: 203216 0b22db02bddba0d783049e83311526a5 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_i386.deb Size/MD5 checksum: 688914 f7088094d696ab673f9e91631adc3bb6 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_i386.deb Size/MD5 checksum: 212408 262af8522ecd16b57c11af409db528cb ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_ia64.deb Size/MD5 checksum: 980974 8ab9bfd7088b9740a27a54760059b3e9 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_ia64.deb Size/MD5 checksum: 222164 3ac1225c263d2678563fe0fa63a37cde http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_ia64.deb Size/MD5 checksum: 207428 c2a8edc2d5f2943034ccadf0c6d67c21 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_ia64.deb Size/MD5 checksum: 207274 0c4d9685cfe8479fcb24ef7eb86f301d mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_mips.deb Size/MD5 checksum: 212246 f90b614ab734af4e75cb15d45d7571bd http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_mips.deb Size/MD5 checksum: 691796 c2caa9adce6dd3d44c53a91e6c7b7e88 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_mips.deb Size/MD5 checksum: 203262 f4947609b2a1e3b1016ff6a9b7c21d4c http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_mips.deb Size/MD5 checksum: 203344 27701f545ffd35ec7fccf456a91a34ce mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_mipsel.deb Size/MD5 checksum: 203266 566d885e4619eae83a3986cac1a28ad7 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_mipsel.deb Size/MD5 checksum: 203412 62a1ae565c42e326ae2a129add355155 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_mipsel.deb Size/MD5 checksum: 689126 f87ca4149400a5ac5bc3e17f149170b8 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_mipsel.deb Size/MD5 checksum: 211804 6a32fca4e5b5cb68821670a0f59aa5ad sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-17lenny4_sparc.deb Size/MD5 checksum: 203744 e11aedfb13f8c65a7866b3aa35a35780 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-basic_1.3.1-17lenny4_sparc.deb Size/MD5 checksum: 701992 1bb07d6070f54a0f84d237bb353c1149 http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-17lenny4_sparc.deb Size/MD5 checksum: 203486 583c76972206a115b83c6af5f700727a http://security.debian.org/pool/updates/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-17lenny4_sparc.deb Size/MD5 checksum: 213718 59f82a39914654ba2a32ce50613dc83a These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkrta9wACgkQ62zWxYk/rQeDUgCfdLL9M9AYk3FihGSfLQxT5sGK gcAAoLdYCFgKXMySMt5m7+4Gu0zH9sVE =4qQL -----END PGP SIGNATURE-----