Debian proftpd 1.2.0 runs as root
|
|
Article ID: 11450
Last updated: 27 Jan, 2009
|
|
|
|
Views: 392
|
|
Posted: 22 Jan, 2009
by: Tech Pubs S.
Updated: 27 Jan, 2009
by: Tech Pubs S.
|
|
Debian proftpd 1.2.0 runs as root |
|
| This script is Copyright (C) 2003 Renaud Deraison |
|
|
| Family | FTP |
| Plugin ID | 11450 |
| Bugtraq ID |
|
| CVE ID | CVE-2001-0456
|
|
| Description: |
The following problems have been reported for the version of proftpd in
Debian 2.2 (potato):
1. There is a configuration error in the postinst script, when the user
enters yes, when asked if anonymous access should be enabled.
The postinst script wrongly leaves the run as uid/gid root
configuration option in /etc/proftpd.conf, and adds a
run as uid/gid nobody option that has no effect.
2. There is a bug that comes up when /var is a symlink, and
proftpd is restarted. When stopping proftpd, the /var
symlink is removed
when its started again a file named
/var is created.
See also : http://www.debian.org/security/2001/dsa-032
Solution : Upgrade your proftpd server to proftpd-1.2.0pre10-2.0potato1
Risk factor : Medium |
|
