Date: Fri, 6 Mar 2009 22:02:53 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/132369: [vuxml] ftp/proftpd: document CVE-2009-0542 and CVE-2009-0543 (SQL injections) Message-ID: <20090306190253.5247DB8031@phoenix.codelabs.ru> Resent-Message-ID: <200903061910.n26JA2LU077327@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 132369 >Category: ports >Synopsis: [vuxml] ftp/proftpd: document CVE-2009-0542 and CVE-2009-0543 (SQL injections) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Mar 06 19:10:02 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-STABLE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-STABLE amd64 >Description: ProFTPD with versions < 1.3.2 and >= 1.3.1 is prone to a multiple SQL injection vulnerabilities: [1], [2]. >How-To-Repeat: See the following links: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0542 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0543 >Fix: The port is already at 1.3.2, so no upgrade is needed. The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="d49fe342-0a7c-11de-9a16-001fc66e7203"> <topic>proftpd -- multiple SQL injections</topic> <affects> <package> <name>proftpd</name> <name>proftpd-mysql</name> <range><ge>1.3.1</ge><lt>1.3.2</lt></range> </package> <package> <name>proftpd-devel</name> <range><le>1.3.20080922</le></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Entry for CVE-2009-0542 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0542">; <p>SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 allows remote attackers to execute arbitrary SQL commands via a "%" (percent) character in the username, which introduces a "'" (single quote) character during variable substitution by mod_sql.</p> </blockquote> <p>Entry for CVE-2009-0543 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0543">; <p>ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in mod_sql_mysql and mod_sql_postgres.</p> </blockquote> </body> </description> <references> <cvename>CVE-2009-0542</cvename> <cvename>CVE-2009-0543</cvename> <url>http://bugs.proftpd.org/show_bug.cgi?id=3180</url>; <url>http://bugs.proftpd.org/show_bug.cgi?id=3173</url>; </references> <dates> <discovery>2009-03-02</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- I am marking the whole -devel line to be vulnerable, because CVE-2009-0542 was resolved in rc3 that is dated November 2008 and CVE-2009-0543 was resolved only in 1.3.2 release version. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090306190253.5247DB8031>