CVE-2024-48651

In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.

References

Affected packages

Debian:11 / proftpd-dfsg

Package

Name: proftpd-dfsg
Purl: pkg:deb/debian/proftpd-dfsg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.7a+dfsg-12+deb11u3

Affected versions

1.*

1.3.7a+dfsg-12

1.3.7a+dfsg-12+deb11u1

1.3.7a+dfsg-12+deb11u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / proftpd-dfsg

Package

Name: proftpd-dfsg
Purl: pkg:deb/debian/proftpd-dfsg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.8+dfsg-4+deb12u4

Affected versions

1.*

1.3.8+dfsg-4

1.3.8+dfsg-4+deb12u1

1.3.8+dfsg-4+deb12u2

1.3.8+dfsg-4+deb12u3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / proftpd-dfsg

Package

Name: proftpd-dfsg
Purl: pkg:deb/debian/proftpd-dfsg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.8.b+dfsg-4

Affected versions

1.*

1.3.8+dfsg-4

1.3.8+dfsg-5

1.3.8+dfsg-6

1.3.8+dfsg-7

1.3.8+dfsg-8

1.3.8.a+dfsg-1

1.3.8.b+dfsg-1

1.3.8.b+dfsg-2

1.3.8.b+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/proftpd/proftpd

Affected ranges

Type: GIT
Repo: https://github.com/proftpd/proftpd
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

cec01cc0a2523453e5da5a486bc6d977c3768db1

Affected versions

v1.*

v1.3.6

v1.3.6rc1

v1.3.6rc2

v1.3.6rc3

v1.3.6rc4

v1.3.7

v1.3.7rc1

v1.3.7rc2

v1.3.7rc3

v1.3.7rc4

v1.3.8

v1.3.8rc1

v1.3.8rc2

v1.3.8rc3

v1.3.8rc4

v1.3.9rc1

v1.3.9rc2