Debian DSA-2191-1 : proftpd-dfsg - several vulnerabilities

high Nessus Plugin ID 52660

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in ProFTPD, a versatile, virtual-hosting FTP daemon :

- CVE-2008-7265 Incorrect handling of the ABOR command could lead to denial of service through elevated CPU consumption.

- CVE-2010-3867 Several directory traversal vulnerabilities have been discovered in the mod_site_misc module.

- CVE-2010-4562 A SQL injection vulnerability was discovered in the mod_sql module.

Solution

Upgrade the proftpd-dfsg packages.

For the oldstable distribution (lenny), this problem has been fixed in version 1.3.1-17lenny6.

The stable distribution (squeeze) and the unstable distribution (sid) are not affected, these vulnerabilities have been fixed prior to the release of Debian 6.0 (squeeze).

See Also

https://security-tracker.debian.org/tracker/CVE-2008-7265

https://security-tracker.debian.org/tracker/CVE-2010-3867

https://security-tracker.debian.org/tracker/CVE-2010-4562

https://www.debian.org/security/2011/dsa-2191

Plugin Details

Severity: High

ID: 52660

File Name: debian_DSA-2191.nasl

Version: 1.12

Type: local

Agent: unix

Published: 3/15/2011

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:proftpd-dfsg, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 3/14/2011

Exploitable With

Metasploit (ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux))

Reference Information

CVE: CVE-2008-7265, CVE-2010-3867, CVE-2010-4652

BID: 44562, 44933

DSA: 2191