LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora alert FEDORA-2013-16810 (proftpd)



From:
    	      updates@fedoraproject.org 


To:
    	      package-announce@lists.fedoraproject.org 


Subject:
    	      [SECURITY] Fedora 18 Update: proftpd-1.3.4d-4.fc18 


Date:
    	      Tue, 24 Sep 2013 00:21:03 +0000


Message-ID:
    	      <20130924002103.1867821FBC@bastion01.phx2.fedoraproject.org>


Archive-link:
    	      Article, Thread
              


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-16810
2013-09-15 23:16:46
--------------------------------------------------------------------------------

Name        : proftpd
Product     : Fedora 18
Version     : 1.3.4d
Release     : 4.fc18
URL         : http://www.proftpd.org/
Summary     : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.

--------------------------------------------------------------------------------
Update Information:

This update addresses an issue with mod_sftp and mod_sftp_pam in which a malicious client could
cause the server to make extremely large memory requests and potentially crash.
--------------------------------------------------------------------------------
ChangeLog:

* Sat Sep 14 2013 Paul Howarth <paul@city-fan.org> 1.3.4d-4
- Fix mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication
  (#1007678, upstream bug #3973)
* Sun Aug  4 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 1.3.4d-2.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> 1.3.4d-2.1
- Perl 5.18 rebuild
* Mon Jun 17 2013 Paul Howarth <paul@city-fan.org> 1.3.4d-2
- Fix spurious log messages at session close (upstream bug #3945)
* Sat Jun 15 2013 Paul Howarth <paul@city-fan.org> 1.3.4d-1
- Update to 1.3.4d
  - Fixed broken build when using --disable-ipv6 configure option
  - Fixed mod_sql "SQLAuthType Backend" MySQL issues
  - Various other bugs fixed - see NEWS for details
- Drop upstreamed patch for PAM session closing
* Tue Apr 16 2013 Paul Howarth <paul@city-fan.org> 1.3.4c-2
- Make sure we can switch back to root before closing PAM sessions so that
  they're closed properly and don't pollute the system logs with dbus reject
  messages (#951728, upstream bug #3929)
* Thu Mar  7 2013 Paul Howarth <paul@city-fan.org> 1.3.4c-1
- Update to 1.3.4c
  - Added Spanish translation
  - Fixed several mod_sftp issues, including SFTPPassPhraseProvider,
    handling of symlinks for REALPATH requests, and response code logging
  - Fixed symlink race for creating directories when UserOwner is in effect
  - Increased performance of FTP directory listings
- Drop MySQL password patch, no longer needed
- Drop upstreamed proftpd patch for CVE-2012-6095
- Update patch for bug 3744 to apply against updated proftpd code
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 1.3.4b-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Wed Jan 16 2013 Paul Howarth <paul@city-fan.org> 1.3.4b-5
- Update patch for CVE-2012-6095 to cover vroot cases
* Mon Jan  7 2013 Paul Howarth <paul@city-fan.org> 1.3.4b-4
- Fix possible symlink race when applying UserOwner to newly created directory
  (CVE-2012-6095, #892715, http://bugs.proftpd.org/show_bug.cgi?id=3841)
* Sat Sep 22 2012 Remi Collet <remi@fedoraproject.org> 1.3.4b-3
- Rebuild against libmemcached.so.11 without SASL
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1007679 - proftpd: mod_sftp/mod_sftp_pam invalid pool allocation during kbdint
authentication [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1007679
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds