Phrack hole closed in ProFTPD
The development team behind ProFTPD has released version 1.3.3d, which closes a critical security hole in the SQL module of all previous versions. The flaw was reported roughly a month ago in Phrack, the hacker magazine. A buffer overflow in the function sql_prepare_where() allows attackers to remotely execute arbitrary code on the server. The developers themselves suffered when this vulnerability was exploited by still unknown parties, who entered the project server and installed a back door in the source code.
The new version also fixes a number of additional bugs; as a result, the GPL-licensed server is reportedly now more stable. At the same time, the developers have also published the first release candidate for version 1.3.4.