[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:27262] [SECURITY] [DSA-032-1] proftp runs as root, /var symlink removal (from debian-security-announce@lists.debian.org)

From: KISE Hiroshi <fuyuneko@xxxxxxxxxxxx>
Subject: [debian-users:27262] [SECURITY] [DSA-032-1] proftp runs as root, /var symlink removal (from debian-security-announce@lists.debian.org)
Date: Wed, 7 Mar 2001 12:47:22 +0900
X-dispatcher: imput version 20000414(IM141)
X-ml-info: If you have a question, send e-mail with the body "help" (without quotes) to the address debian-users-ctl@debian.or.jp; help=<mailto:debian-users-ctl@debian.or.jp?body=help>
X-ml-name: debian-users
X-mlserver: fml [fml 3.0pl#17]; post only (only members can post)
References: <200103070134.f271YpN06085@xxxxxxxxxxxxxxxxxx>
Message-id: <200103070347.MAA16905@xxxxxxxxxxxxxxxxxxxxxxxxxx>
X-mail-count: 27262
X-mailer: Mew version 1.94.2 on Emacs 20.7 / Mule 4.0 (HANANOEN)

debian-security-announce@lists.debian.orgに、proftpdパッケージの
最新版のアナウンスが出ました。修正された問題は2つあります。
くわしくは原文を参照してください。

修正済みバージョンは1.2.0pre10-2.0potato1です。このバージョンへの
アップデートをおすすめします。

以下、アナウンスの引用です。

From: Wichert Akkerman <wichert@xxxxxxxxxx>
Subject: [SECURITY] [DSA-032-1] proftp runs as root, /var symlink removal
Date: Wed, 7 Mar 2001 02:34:51 +0100
> - ------------------------------------------------------------------------
> Debian Security Advisory DSA-032-1                   security@debian.org
> http://www.debian.org/security/                         Wichert Akkerman
> March  7, 2001
> - ------------------------------------------------------------------------
> 
> 
> Package: proftpd
> Vulnerability: proftpd running as root, /var symlink removal
> Debian-specific: yes
> 
> The following problems have been reported for the version of proftpd in
> Debian 2.2 (potato):
> 
> 1. There is a configuration error in the postinst script, when the user
> enters 'yes', when asked if anonymous access should be enabled.
> The postinst script wrongly leaves the 'run as uid/gid root' configuration 
> option in /etc/proftpd.conf, and adds a 'run as uid/gid nobody' option that 
> has no effect.
> 
> 2. There is a bug that comes up when /var is a symlink, and proftpd is 
> restarted. When stopping proftpd, the /var symlink is removed; when it's
> started again a file named /var is created.
> 
> The above problems have been corrected in proftpd-1.2.0pre10-2.0potato1. 
> We recommend you upgrade your proftpd package immediately.
> 
> wget url
> 	will fetch the file for you
> dpkg -i file.deb
>         will install the referenced file.
> 
> You may use an automated update by adding the resources from the
> footer to the proper configuration.

(中略)
> - ----------------------------------------------------------------------------
> apt-get: deb http://security.debian.org/ stable/updates main
> dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
(以下略)

-- 
喜瀬“冬猫”浩＠南国沖縄

Follow-Ups:
- [debian-users:27322] Re: [SECURITY] [DSA-032-1] proftp runs as root, /var symlink removal(from debian-security-announce@lists.debian.org)
  - From: Seiji Kaneko

Prev by Date: [debian-users:27261] gs-ja-5.50, gs-aladdin-vflib-6.01 が ( Compile 出来ません (
Next by Date: [debian-users:27263] SKK からみで質問２つ
Previous by thread: [debian-users:27300] Re: gs-ja-5.50, gs-aladdin-vflib-6.01 が Compile 出来ません
Next by thread: [debian-users:27322] Re: [SECURITY] [DSA-032-1] proftp runs as root, /var symlink removal(from debian-security-announce@lists.debian.org)
Index(es):
- Date
- Thread