U radu programskog paketa proftpd uočeno je više sigurnosnih propusta. Udaljeni napadač ih može iskoristiti za proizvoljno izvršavanje programskog koda, izmjenu podataka, dobivanje većih ovlasti te napad uskraćivanjem usluga (DoS).

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-15740
2011-11-11 00:54:06
--------------------------------------------------------------------------------

Name        : proftpd
Product     : Fedora 15
Version     : 1.3.4
Release     : 1.fc15
URL         : http://www.proftpd.org/
Summary     : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.

--------------------------------------------------------------------------------
Update Information:

This update, to the current upstream stable release, includes a pair of security
fixes:

* Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (upstream bug
3704); to disable this countermeasure, which may cause interoperability issues
with some clients, use the NoEmptyFragments TLSOption
* Response pool use-after-free memory corruption error (upstream bug 3711,
#752812, ZDI-CAN-1420, CVE-2011-4130), in which a remote attacker could provide
a specially-crafted request (resulting in a need for the server to handle an
exceptional condition), leading to memory corruption and potentially arbitrary
code execution, with the privileges of the user running the proftpd server

--------------------------------------------------------------------------------
ChangeLog:

* Thu Nov 10 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.4-1
- Update to 1.3.4, addressing the following bugs since 1.3.4rc3:
  - ProFTPD with mod_sql_mysql dies of "Alarm clock" on FreeBSD (bug 3702)
  - mod_sql_mysql.so: undefined symbol: make_scrambled_password with MySQL 5.5
    on Fedora (bug 3669)
  - PQescapeStringConn() needs a better check (bug 3192)
  - Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (bug 3704);
    to disable this countermeasure, which may cause interoperability issues
    with some clients, use the NoEmptyFragments TLSOption
  - Support SFTPOption for ignoring requests to modify timestamps (bug 3706)
  - RPM build on CentOS 5.5 (64bit): "File not found by glob" (bug 3640)
  - Response pool use-after-free memory corruption error
    (bug 3711, #752812, ZDI-CAN-1420, CVE-2011-4130)
- Drop upstream patch for make_scrambled_password_323
- Use upstream SysV initscript rather than our own
- Use upstream systemd service file rather than our own
- Use upstream PAM configuration rather than our own
- Use upstream logrotate configuration rather than our own
- Use upstream tempfiles configuration rather than our own
- Use upstream xinetd configuration rather than our own
* Thu Oct  6 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.4-0.15.rc3
- Add upstream patch to not try make_scrambled_password_323 if the MySQL
  library doesn't export it (#718327, upstream bug 3669); this removes support
  for password hashes generated on MySQL prior to 4.1
* Thu Sep 29 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.4-0.14.rc3
- Update to 1.3.4rc3 (see NEWS and RELEASE_NOTES for full details)
  - The mod_ldap configuration directives have changed to a simplified version;
    please read the "Changes" section in README.LDAP for details
  - Support for using RADIUS for authentication SSH2 logins, and for supporting
    the NAS-IPv6-Address RADIUS attribute
  - Automatically disable sendfile support on AIX systems
  - <Limit WRITE> now prevents renaming/moving a file out of the limited
    directory
  - ExtendedLog entries now written for data transfers that time out
- Drop upstreamed patches
- Use new --disable-strip option to retain debugging symbols
- Use upstream LDAP quota table schema rather than our own copy
- Add patch for broken MySQL auth (#718327, upstream bug 3669)
- Remove spurious exec permissions on systemd unit file
* Tue Sep 27 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.4-0.13.rc2
- Restore back-compatibility with older releases and EPEL, broken by -11 update
- Use /run rather than /var/run if using systemd init
- Avoid the use of triggers in SysV-to-systemd migration
* Sat Sep 17 2011 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.4-0.12.rc2
- Rebuild against libmemcached.so.8
* Mon Sep 12 2011 Tom Callaway <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.4-0.11.rc2
- Convert to systemd
* Fri Jun  3 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.4-0.10.rc2
- Rebuild for new libmemcached in Rawhide
* Tue May 17 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.4-0.9.rc2
- Add a number of fixes for bugs reported upstream:
  - Avoid spinning proftpd process if read(2) returns EAGAIN (bug 3639)
  - SITE CPFR/CPTO does not update quota tally (bug 3641)
  - Segfault in mod_sql_mysql if "SQLAuthenticate groupsetfast" used (bug 3642)
  - Disable signal handling for exiting session processes (bug 3644)
  - Ensure that SQLNamedConnectInfos with PERSESSION connection policies are
    opened before chroot (bug 3645)
  - MaxStoreFileSize can be bypassed using REST/APPE (bug 3649)
  - Fix TCPAccessSyslogLevel directive (bug 3652)
  - Segfault with "DefaultServer off" and no matching server for incoming IP
    address (bug 3653)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #752812 - CVE-2011-4130 proftpd: Response pool use-after-free flaw
(ZDI-CAN-1420)
        https://bugzilla.redhat.com/show_bug.cgi?id=752812
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-15741
2011-11-11 00:54:08
--------------------------------------------------------------------------------

Name        : proftpd
Product     : Fedora 14
Version     : 1.3.3g
Release     : 1.fc14
URL         : http://www.proftpd.org/
Summary     : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.

--------------------------------------------------------------------------------
Update Information:

This update, to the current (and final) release for the 1.3.3 maintenance
branch, includes a pair of security fixes:

* Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (upstream bug
3704); to disable this countermeasure, which may cause interoperability issues
with some clients, use the NoEmptyFragments TLSOption
* Response pool use-after-free memory corruption error (upstream bug 3711,
#752812, ZDI-CAN-1420), in which a remote attacker could provide a
specially-crafted request (resulting in a need for the server to handle an
exceptional condition), leading to memory corruption and potentially arbitrary
code execution, with the privileges of the user running the proftpd server
--------------------------------------------------------------------------------
ChangeLog:

* Thu Nov 10 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3g-1
- Update to 1.3.3g, fixing the following bugs:
  - ProFTPD with mod_sql_mysql dies of "Alarm clock" on FreeBSD (bug 3702)
  - Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (bug 3704);
    to disable this countermeasure, which may cause interoperability issues
    with some clients, use the NoEmptyFragments TLSOption
  - Response pool use-after-free memory corruption error
    (bug 3711, #752812, ZDI-CAN-1420)
* Tue Sep 27 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3f-1
- Update to 1.3.3f, fixing a large number of bugs reported upstream:
  - Avoid spinning proftpd process if read(2) returns EAGAIN (bug 3639)
  - Segfault seen in mod_sql_mysql if "SQLAuthenticate groupsetfast" used
    (bug 3642)
  - Disable signal handling for exiting session processes (bug 3644)
  - TCPAccessSyslogLevel directive broken by Bug#3317 (bug 3652)
  - TLSVerifyOrder directive is broken (bug 3658)
  - Segmentation fault if there is regex <IfUser> section in a <VirtualHost>
    section; this is a regression caused by a bad backport of the fix for
    Bug#3625 to the 1.3.3 branch (bug 3659)
  - Filenames with embedded IAC do not get processed correctly (bug 3697)
- Drop upstreamed nostrip patch
- Use new --disable-strip option to retain debugging symbols
- Use upstream LDAP quota table schema rather than our own copy
* Mon Apr  4 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3e-1
- Update to 1.3.3e, fixing a large number of bugs reported upstream:
  - Process privileges may not handled properly when --enable-autoshadow is
    used (bug 3757)
  - mod_sftp closes channel too early after scp download (bug 3544)
  - mod_sftp_pam may tell client to disable echoing erroneously (bug 3579)
  - mod_sftp behaves badly when receiving badly formed SSH messages (bug 3586,
    CVE-2011-1137)
  - Using "$shell $libtool" in prxs does not work for all shells (bug 3593)
  - WrapAllowMsg directive broken due to bug 3423 (bug 3538)
  - SocketOptions receive/send buffer size parameters no longer work (bug 3607)
  - mod_wrap2 needs to support netmask rules for IPv6 addresses (bug 3606)
  - APPE/STOU upload flags erroneously preserved across upload commands
    (bug 3612)
  - Malicious module can use sreplace() function to overflow buffer (bug 3614)
  - Exiting sessions don't seem to die properly (bug 3619)
  - mod_delay sometimes logs "unable to load DelayTable into memory" (bug 3622)
  - Plaintext command injection in FTPS support (bug 3624)
  - mod_ifsession rules using regular expressions do not work (bug 3625)
  - Truncated client name saved in ScoreboardFile (bug 3623)
  - %w variable populated with non-absolute path in SQLLog statement (bug 3627)
  - Unnecessarily verbose "warning: unable to throttle bandwidth: Interrupted
    system call" (bug 3628)
  - SSH DISCONNECT messages sent by mod_sftp even for FTP connections in some
    cases (bug 3630)
  - mod_sql should log "unrecoverable database error" at a higher priority
    (bug 3632)
  - Proftpd is eating CPU when reparsing configuration file on SIGHUP (bug 3610)
  - Incorrect generation of DSA signature for SSH sessions (bug 3634)
- Nobody else likes macros for commands
* Wed Jan 19 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3d-1
- Updated to 1.3.3d
  - Fixed sql_prepare_where() buffer overflow (bug 3536, CVE-2010-4652)
  - Fixed CPU spike when handling .ftpaccess files
  - Fixed handling of SFTP uploads when compression is used
- Add Default-Stop LSB keyword in initscript (for runlevels 0, 1, and 6)
- Fix typos in config file and initscript
* Mon Nov  1 2010 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3c-1
- Update to 1.3.3c (#647965)
  - Fixed Telnet IAC stack overflow vulnerability (CVE-2010-4221)
  - Fixed directory traversal bug in mod_site_misc (CVE-2010-3867)
  - Fixed SQLite authentications using "SQLAuthType Backend"
- New DSO module: mod_geoip
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #752812 - CVE-2011-4130 proftpd: Response pool use-after-free flaw
(ZDI-CAN-1420)
        https://bugzilla.redhat.com/show_bug.cgi?id=752812
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-15765
2011-11-11 00:55:13
--------------------------------------------------------------------------------

Name        : proftpd
Product     : Fedora 16
Version     : 1.3.4
Release     : 1.fc16
URL         : http://www.proftpd.org/
Summary     : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.

--------------------------------------------------------------------------------
Update Information:

This update, to the current upstream stable release, includes a pair of security
fixes:

* Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (upstream bug
3704); to disable this countermeasure, which may cause interoperability issues
with some clients, use the NoEmptyFragments TLSOption
* Response pool use-after-free memory corruption error (upstream bug 3711,
#752812, ZDI-CAN-1420, CVE-2011-4130), in which a remote attacker could provide
a specially-crafted request (resulting in a need for the server to handle an
exceptional condition), leading to memory corruption and potentially arbitrary
code execution, with the privileges of the user running the proftpd server

--------------------------------------------------------------------------------
ChangeLog:

* Thu Nov 10 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.4-1
- Update to 1.3.4, addressing the following bugs since 1.3.4rc3:
  - ProFTPD with mod_sql_mysql dies of "Alarm clock" on FreeBSD (bug 3702)
  - mod_sql_mysql.so: undefined symbol: make_scrambled_password with MySQL 5.5
    on Fedora (bug 3669)
  - PQescapeStringConn() needs a better check (bug 3192)
  - Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST attacks (bug 3704);
    to disable this countermeasure, which may cause interoperability issues
    with some clients, use the NoEmptyFragments TLSOption
  - Support SFTPOption for ignoring requests to modify timestamps (bug 3706)
  - RPM build on CentOS 5.5 (64bit): "File not found by glob" (bug 3640)
  - Response pool use-after-free memory corruption error
    (bug 3711, #752812, ZDI-CAN-1420, CVE-2011-4130)
- Drop upstream patch for make_scrambled_password_323
- Use upstream SysV initscript rather than our own
- Use upstream systemd service file rather than our own
- Use upstream PAM configuration rather than our own
- Use upstream logrotate configuration rather than our own
- Use upstream tempfiles configuration rather than our own
- Use upstream xinetd configuration rather than our own
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #752812 - CVE-2011-4130 proftpd: Response pool use-after-free flaw
(ZDI-CAN-1420)
        https://bugzilla.redhat.com/show_bug.cgi?id=752812
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce