Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-5815: proftpd unspecified vulnerability
------- Additional Comments From lkundrak(a)redhat.com 2006-11-28 05:28 EST -------
Okay, just so to summarize what was discovered by Evgeny Legerov, disclosed and
now fixed: There are two issues:
sreplace() stack overflow, which is the vd_proftpd.pm VulnDisco metasploit
exploit -- http://www.gleg.net/proftpd.txt
. This is fixed in 1.3.0a
mod_tls pre-auth buffer overflow. This is in VulnDisco since January 2006 and is
not yet fixed in 1.3.0a.
So I disagree with Jan's comment #15, updating to 1.3.0a is _not_ sufficient. It
is needed to patch for also for the mod_tls issue, because mod_tls.c module is
included in Fedora package by default. An attachment #141353 should fix that.
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.