Uočena su tri sigurnosna nedostatka inačice poslužitelja proftpd, distribuirane s operacijskim sustavima Fedora 13, 14 i 15. Riječ je o poslužitelju koji omogućuje sigurnu te jednostavnu razmjenu podataka pomoću protokola FTP. Prvi propust vezan je uz cjelobrojno prepisivanje u modulu "mod_sftp", dok se druga dva odnose na regcomp implementaciju u glibc biblioteci. Udaljeni napadač može iskoristiti prvi propust za pokretanje napada uskraćivanja usluga putem posebno oblikovane SSH poruke. Kontekstno ovisni napadač može, također, iskoristiti druga dva propusta za DoS napad, ali pomoću regularnih izraza koji sadrže granične operatore ponavljanja. Preporučuje se nadogradnja.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-5098
2011-04-09 05:23:06
--------------------------------------------------------------------------------
Name : proftpd
Product : Fedora 15
Version : 1.3.4
Release : 0.8.rc2.fc15
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.
This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.
--------------------------------------------------------------------------------
Update Information:
The second release candidate for proftpd 1.3.4.
This includes fixes for a number of security issues:
* Plaintext command injection vulnerability in FTPS implementation
* Badly formed SSH messages cause DoS
* Limit recursion depth for untrusted regular expressions (#673040)
The update also contains a large number of bug fixes over release candidate 1,
plus new support for SSL session caching using memcached.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #681718 - CVE-2011-1137 proftpd: integer overflow in mod_sftp
https://bugzilla.redhat.com/show_bug.cgi?id=681718
[ 2 ] Bug #645859 - CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular
expression engine
https://bugzilla.redhat.com/show_bug.cgi?id=645859
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-5033
2011-04-08 22:59:32
--------------------------------------------------------------------------------
Name : proftpd
Product : Fedora 13
Version : 1.3.3e
Release : 1.fc13
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.
This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.
--------------------------------------------------------------------------------
Update Information:
This update, to the current upstream maintenance release, fixes a large number
of bugs (see NEWS for details), and also a couple of security issues:
* Plaintext command injection vulnerability in FTPS implementation (i.e.
mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for details.
* CVE-2011-1137 (badly formed SSH messages cause DoS). See
http://bugs.proftpd.org/show_bug.cgi?id=3586 for details.
Other highlights include:
* Display messages work properly again.
* Performance improvements, especially during server startup/restarts.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 4 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3e-1
- Update to 1.3.3e, fixing a large number of bugs reported upstream:
- Process privileges may not handled properly when --enable-autoshadow is
used (bug 3757)
- mod_sftp closes channel too early after scp download (bug 3544)
- mod_sftp_pam may tell client to disable echoing erroneously (bug 3579)
- mod_sftp behaves badly when receiving badly formed SSH messages (bug 3586,
CVE-2011-1137)
- Using "$shell $libtool" in prxs does not work for all shells (bug 3593)
- WrapAllowMsg directive broken due to bug 3423 (bug 3538)
- SocketOptions receive/send buffer size parameters no longer work (bug
3607)
- mod_wrap2 needs to support netmask rules for IPv6 addresses (bug 3606)
- APPE/STOU upload flags erroneously preserved across upload commands
(bug 3612)
- Malicious module can use sreplace() function to overflow buffer (bug 3614)
- Exiting sessions don't seem to die properly (bug 3619)
- mod_delay sometimes logs "unable to load DelayTable into memory" (bug
3622)
- Plaintext command injection in FTPS support (bug 3624)
- mod_ifsession rules using regular expressions do not work (bug 3625)
- Truncated client name saved in ScoreboardFile (bug 3623)
- %w variable populated with non-absolute path in SQLLog statement (bug
3627)
- Unnecessarily verbose "warning: unable to throttle bandwidth: Interrupted
system call" (bug 3628)
- SSH DISCONNECT messages sent by mod_sftp even for FTP connections in some
cases (bug 3630)
- mod_sql should log "unrecoverable database error" at a higher priority
(bug 3632)
- Proftpd is eating CPU when reparsing configuration file on SIGHUP (bug
3610)
- Incorrect generation of DSA signature for SSH sessions (bug 3634)
- Nobody else likes macros for commands
* Wed Jan 19 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3d-1
- Updated to 1.3.3d
- Fixed sql_prepare_where() buffer overflow (bug 3536, CVE-2010-4652)
- Fixed CPU spike when handling .ftpaccess files
- Fixed handling of SFTP uploads when compression is used
- Add Default-Stop LSB keyword in initscript (for runlevels 0, 1, and 6)
- Fix typos in config file and initscript
* Mon Nov 1 2010 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3c-1
- Update to 1.3.3c (#647965)
- Fixed Telnet IAC stack overflow vulnerability (CVE-2010-4221)
- Fixed directory traversal bug in mod_site_misc (CVE-2010-3867)
- Fixed SQLite authentications using "SQLAuthType Backend"
- New DSO module: mod_geoip
* Fri Sep 10 2010 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3b-1
- Update to 1.3.3b
- Fixed SFTP directory listing bug
- Avoid corrupting utmpx databases on FreeBSD
- Avoid null pointer dereferences during data transfers
- Fixed "AuthAliasOnly on" anonymous login
* Fri Jul 2 2010 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3a-1
- Update to 1.3.3a
- Added Japanese translation
- Many mod_sftp bugfixes
- Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later
- Fixed handling of utmp/utmpx format changes on FreeBSD
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #681718 - CVE-2011-1137 proftpd: integer overflow in mod_sftp
https://bugzilla.redhat.com/show_bug.cgi?id=681718
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-5040
2011-04-08 22:59:49
--------------------------------------------------------------------------------
Name : proftpd
Product : Fedora 14
Version : 1.3.3e
Release : 1.fc14
URL : http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.
This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.
--------------------------------------------------------------------------------
Update Information:
This update, to the current upstream maintenance release, fixes a large number
of bugs (see NEWS for details), and also a couple of security issues:
* Plaintext command injection vulnerability in FTPS implementation (i.e.
mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for details.
* CVE-2011-1137 (badly formed SSH messages cause DoS). See
http://bugs.proftpd.org/show_bug.cgi?id=3586 for details.
Other highlights include:
* Display messages work properly again.
* Performance improvements, especially during server startup/restarts.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 4 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3e-1
- Update to 1.3.3e, fixing a large number of bugs reported upstream:
- Process privileges may not handled properly when --enable-autoshadow is
used (bug 3757)
- mod_sftp closes channel too early after scp download (bug 3544)
- mod_sftp_pam may tell client to disable echoing erroneously (bug 3579)
- mod_sftp behaves badly when receiving badly formed SSH messages (bug 3586,
CVE-2011-1137)
- Using "$shell $libtool" in prxs does not work for all shells (bug 3593)
- WrapAllowMsg directive broken due to bug 3423 (bug 3538)
- SocketOptions receive/send buffer size parameters no longer work (bug
3607)
- mod_wrap2 needs to support netmask rules for IPv6 addresses (bug 3606)
- APPE/STOU upload flags erroneously preserved across upload commands
(bug 3612)
- Malicious module can use sreplace() function to overflow buffer (bug 3614)
- Exiting sessions don't seem to die properly (bug 3619)
- mod_delay sometimes logs "unable to load DelayTable into memory" (bug
3622)
- Plaintext command injection in FTPS support (bug 3624)
- mod_ifsession rules using regular expressions do not work (bug 3625)
- Truncated client name saved in ScoreboardFile (bug 3623)
- %w variable populated with non-absolute path in SQLLog statement (bug
3627)
- Unnecessarily verbose "warning: unable to throttle bandwidth: Interrupted
system call" (bug 3628)
- SSH DISCONNECT messages sent by mod_sftp even for FTP connections in some
cases (bug 3630)
- mod_sql should log "unrecoverable database error" at a higher priority
(bug 3632)
- Proftpd is eating CPU when reparsing configuration file on SIGHUP (bug
3610)
- Incorrect generation of DSA signature for SSH sessions (bug 3634)
- Nobody else likes macros for commands
* Wed Jan 19 2011 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3d-1
- Updated to 1.3.3d
- Fixed sql_prepare_where() buffer overflow (bug 3536, CVE-2010-4652)
- Fixed CPU spike when handling .ftpaccess files
- Fixed handling of SFTP uploads when compression is used
- Add Default-Stop LSB keyword in initscript (for runlevels 0, 1, and 6)
- Fix typos in config file and initscript
* Mon Nov 1 2010 Paul Howarth <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 1.3.3c-1
- Update to 1.3.3c (#647965)
- Fixed Telnet IAC stack overflow vulnerability (CVE-2010-4221)
- Fixed directory traversal bug in mod_site_misc (CVE-2010-3867)
- Fixed SQLite authentications using "SQLAuthType Backend"
- New DSO module: mod_geoip
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #681718 - CVE-2011-1137 proftpd: integer overflow in mod_sftp
https://bugzilla.redhat.com/show_bug.cgi?id=681718
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke