Comment 11 for bug 508738

This bug was fixed in the package proftpd-dfsg - 1.3.1-17ubuntu1.1

---------------
proftpd-dfsg (1.3.1-17ubuntu1.1) jaunty-security; urgency=low

  * Security: added 3124.dpatch patch to manage another SQL injection due to %
    variable substitution in user/group names. This is fixed in 1.3.2. This is
    CVE-2009-0542. (LP: #508738)

  * Security: added 3173fix.dpatch to use PQescapeStringConn() instead of the
    deprecated PQescapeString(), which does not honour the encoding.
    This is referred to the previous fix of #3173 aka CVE-2009-0543.

  * Security: added 3275.dpatch as taken from 1.3.2b branch to fix
    CVE-2009-3639.
 -- Jan Hagemeyer <email address hidden> Tue, 19 Jan 2010 19:14:30 +0100