Bug #1470259 “Critical security fix for CVE-2015-3306” : Bugs : proftpd-dfsg package : Ubuntu - NFHN Reader

This bug report is a duplicate of: Bug #1462311: proftpd mod_copy issue (CVE-2015-3306). Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	proftpd-dfsg (Ubuntu)	New	Undecided	Unassigned

Bug Description

Hi and thanks for maintaining proftpd. We're seeing active exploitation of CVE-2015-3306 on standard proftpd installs (Ubuntu 12.04 and 14.04). Is there a particular reason there has not been a release yet? CVE details were released 2015-05-22.

See also:

http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3306.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306
https://www.exploit-db.com/exploits/36742/
http://bugs.proftpd.org/show_bug.cgi?id=4169

Ciao,
Willem

Willem de Groot (gwillem) on 2015-06-30

information type:

Private Security → Public

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-06-30:

Hi Willem - proftpd-dfsg is in the universe pocket which means that it is a community maintained package. Someone will need to step up and create debdiffs containing the backported security fixes. The process is outlined here:

https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors

See full activity log

To post a comment you must log in.