| Name | CVE-2020-9273 |
| Description | In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2115-1, DLA-2115-2, DSA-4635-1 |
| Debian Bugs | 951800 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| proftpd-dfsg (PTS) | jessie, jessie (lts) | 1.3.5e+r1.3.5-2+deb8u8 | fixed |
| stretch (security) | 1.3.5e+r1.3.5b-4+deb9u2 | fixed | |
| stretch (lts), stretch | 1.3.5e+r1.3.5b-4+deb9u3 | fixed | |
| buster | 1.3.6-4+deb10u6 | fixed | |
| buster (security), buster (lts) | 1.3.6-4+deb10u4 | fixed | |
| bullseye | 1.3.7a+dfsg-12+deb11u2 | fixed | |
| bookworm | 1.3.8+dfsg-4+deb12u3 | fixed | |
| sid | 1.3.8.b+dfsg-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| proftpd-dfsg | source | wheezy | (unfixed) | end-of-life | ||
| proftpd-dfsg | source | jessie | 1.3.5e+r1.3.5-2+deb8u7 | DLA-2115-2 | ||
| proftpd-dfsg | source | stretch | 1.3.5b-4+deb9u4 | DSA-4635-1 | ||
| proftpd-dfsg | source | buster | 1.3.6-4+deb10u4 | DSA-4635-1 | ||
| proftpd-dfsg | source | (unstable) | 1.3.6c-2 | 951800 |
https://github.com/proftpd/proftpd/issues/903
https://github.com/proftpd/proftpd/commit/d388f7904d4c9a6d0ea54237b8b54a57c19d8d49 (master)
https://github.com/proftpd/proftpd/commit/f8047a1ed0e0eb15193f555c4cbbb281e705c5c3 (master)
https://github.com/proftpd/proftpd/commit/e845abc1bd86eebec7a0342fded908a1b0f1996b (1.3.6c)
https://github.com/proftpd/proftpd/commit/cd9036f4ef7a05c107f0ffcb19a018b20267c531 (1.3.6-branch)