ProFTPD ASCII File Transfer Buffer Overrun Vulnerability
The vendor has stated that patched versions of ProFTPD 1.2.7 through 1.2.9rc2 have been made available. These patched versions can be obtained from the vendor through various mirrors and are denoted with a 'p' after the version number, for example:
Sun have released a security update to address this issue in the RAQ XTR. Please see references section for further details. A fix is linked below.
Slackware has released fixes to address this issue.
OpenPKG updates are available. See advisory OpenPKG-SA-2003.043.
Mandrake has issued fixes listed in advisory MDKSA-2003:095. **UPDATE: On Dec 31, 2003 Mandrake released new fixes correcting a bug in the patched version of ProFTPD.
Trustix has issued fixes for Trustix Secure Linux. See advisory TSLSA-2003-0037 in the reference section.
GENTOO has released an advisory 200309-16 and fix information to address this issue. Please see the referenced advisory for more information.
Conectiva has released advisory CLA-2003:750 to address this issue.
Turbolinux has released an advisory TLSA-2003-54 and fix information to address this issue. Please see the referenced advisory for more information.
ProFTPD versions 1.2.9 and 1.2.9rc3 have been released which are not prone to this issue. Users are advised to obtain the fixes.
Sun has released a fix for the Qube3.
Sun Cobalt RaQ XTR
ProFTPD Project ProFTPD 1.2.7
ProFTPD Project ProFTPD 1.2.7 rc2
ProFTPD Project ProFTPD 1.2.7 rc3
ProFTPD Project ProFTPD 1.2.7 rc1
ProFTPD Project ProFTPD 1.2.8
ProFTPD Project ProFTPD 1.2.8 rc1
ProFTPD Project ProFTPD 1.2.8 rc2
ProFTPD Project ProFTPD 1.2.9 rc1
ProFTPD Project ProFTPD 1.2.9 rc2