| VID |
16056 |
| Severity |
30 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The ProFTPd program shipped with Debian 2.2 (potato) and has the two problems.
1. The first problem is a configuration error that proftpd daemon runs as root even if the user selects otherwise. It arises because that at the installation, if the user enters "yes" when asked if anonymous access should be enabled, 'run as uid/gid root' configuration option is left in /etc/proftpd.conf file and add the 'run as uid/gid nobody' option.
2. There is a bug that comes up when /var is a symlink, and proftpd is restarted. When stopping proftpd, the /var symlink is removed; when it's started again a file named /var is created.
* References:
http://www.debian.org/security/2001/dsa-032
http://linux.oreillynet.com/lpt/a/676
* Platforms Affected:
Debian 2.2 (potato)
ProFTPd package prior to 1.2.0pre10-2.0potato1 |
| Recommendation |
Upgrade to the latest version of proftpd (1.2.0pre10-2.0potato1 or later), available from Debian's web site.
[Source]:http://security.debian.org/dists/stable/updates/main/source/proftpd_1.2.0pre10.orig.tar.gz
[Alpha]:http://security.debian.org/dists/stable/updates/main/binary-alpha/proftpd_1.2.0pre10-2.0potato1_alpha.deb
[i386]:http://security.debian.org/dists/stable/updates/main/binary-i386/proftpd_1.2.0pre10-2.0potato1_i386.deb |
| Related URL |
CVE-2001-0456 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
6208 (ISS) |
|
