CVE-2011-4130 in lucid, maverick, natty

Debdiff for Natty, according to DSA-2346-1 this is only for CVE-2011-4130 because mod_tls buffer bug has been applied in debian/patches/3624.

The attachment "proftpd-dfsg_natty.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Debdiff for maverick, also added patches from DebianBug #648922 to prevent regression. See also DSA 2346-2

Debdiff for lucid, also added patches from DebianBug #648922 to prevent regression. See also DSA 2346-2

Thanks for the debdiffs! Your changelog entry and patch name references 'CVE-2011-041'. This is an invalid CVE identifier. From what I can tell from the history in the Debian squeeze package, you meant to reference CVE-2011-0411. Can you confirm this? If so, the debdiffs should be updated to not call this issue by that CVE name, since it is for postfix. Instead, say it is 'similar to CVE-2011-0411' in the changelog and DEP-3 comments (and rename the patch).

Also, CVE-2010-4652 and CVE-2011-1137 are also open for lucid and maverick (patches are available in the Debian squeeze packaging). Can you update your debdiffs to include the fixes for these issues as well?

Thanks again!

Also, it looks like Oneiric may also be affected. Can you verify?

Unsubscribing ubuntu-security-sponsors. Please resubscribe after submitting updated debdiffs. Thanks again.

Has there been any progress on getting this fix out? I'm asking because it *is* a security issue, and there hasn't been any reported progress for almost 3 months. This vulnerability is showing up in a PCI compliance scan for one of my servers running Lucid.

proftpd-dfsg is supported by the community, so somebody needs to step up and provide debdiffs to fix the issue.

If nobody is interested in doing the work, then there is no progress and proftpd-dfsg will likely remain vulnerable.

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".