MGASA-2026-0200

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2026-0200.html

Import Source

https://advisories.mageia.org/MGASA-2026-0200.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2026-0200

Upstream

CVE-2026-42167

CVE-2026-44331

Published

2026-06-12T23:28:19Z

Modified

2026-06-12T23:30:04.691829057Z

Summary

Updated proftpd packages fix security vulnerabilities

Details

CVE-2026-42167 modsql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM). CVE-2026-44331 a SQL injection vulnerability in sqltabfetchclientscb() in contrib/modwrap2sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:9 / proftpd

Package

Name: proftpd
Purl: pkg:rpm/mageia/proftpd?arch=source&distro=mageia-9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.8c-1.2.mga9

Ecosystem specific

{
    "section": "core"
}

Database specific

source

"https://advisories.mageia.org/MGASA-2026-0200.json"