VulnerableCode Package Details - pkg:deb/ubuntu/proftpd-dfsg@1.3.5b-4

Search for packages

Package details: pkg:deb/ubuntu/proftpd-dfsg@1.3.5b-4

Essentials
History (0)

purl	pkg:deb/ubuntu/proftpd-dfsg@1.3.5b-4

Next non-vulnerable version	1.3.6c-1
Latest non-vulnerable version	1.3.6c-1
Risk	10.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-bgwf-hej6-aaac Aliases: CVE-2019-12815	An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.	1.3.6-6build2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ces2-asry-aaaj Aliases: CVE-2019-19271	An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certificate against CRL entries (installed by a system administrator), can cause some CRL entries to be ignored, and can allow clients whose certificates have been revoked to proceed with a connection to the server.	1.3.6-6build2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-gm72-zyaz-aaac Aliases: CVE-2017-7418	ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.	1.3.5e-1build1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hhjt-wqw4-aaak Aliases: CVE-2020-9273	In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution.	1.3.6c-1 Affected by 0 other vulnerabilities.
VCID-j4rj-fwju-aaaf Aliases: CVE-2019-19272	An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to NULL) leads to a crash when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.	1.3.6-6build2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version