Critical bug in ProFTPD closed
The ProFTPD Project developers have released versions 1.3.3g and 1.3.4 of their open source FTP server. ProFTPD 1.3.4 addresses a critical use-after-free memory corruption error in the response API code.
According to Tipping Point's Zero Day Initiative (ZDI), the vulnerability could be exploited by a remote attacker to compromise a victim's system. For users running the 1.3.3x branch, ProFTPD 1.3.3g eliminates the security problem and also fixes several other bugs.
Further details about the releases, including a list of changes, can be found in the 1.3.3g and 1.3.4 release notes. Versions 1.3.3g and 1.3.4 of ProFTPD are available to download from the project's mirrors and are licensed under the GPL.
See also:
- ProFTPD Response Pool Use-After-Free Vulnerability, security advisory from Secunia.
(crve)