|
|
Subscribe / Log in / New account

Mageia alert MGASA-2016-0128 (proftpd)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2016-0128: Updated proftpd packages fix security vulnerability 


Date:
    	      Thu, 31 Mar 2016 22:23:04 +0200


Message-ID:
    	      <20160331202304.05CBE9F640@duvel.mageia.org>


MGASA-2016-0128 - Updated proftpd packages fix security vulnerability

Publication date: 31 Mar 2016
URL: http://advisories.mageia.org/MGASA-2016-0128.html

Type: security
Affected Mageia releases: 5
CVE: CVE-2016-3125

Description:
A bug with security implications was found in the mod_tls module in
ProFTPD before 1.3.5b. This module has a configuration option
TLSDHParamFile to specify user-defined Diffie Hellman parameters. The
software would ignore the user-defined parameters and use Diffie Hellman
key exchanges with 1024 bits (CVE-2016-3125).

The proftpd package has been updated to version 1.3.5b, which fixes this
issue and other bugs, including:
- SSH RSA hostkeys smaller than 2048 bits now work properly.
- MLSD response lines are now properly CRLF terminated.

References:
- https://bugs.mageia.org/show_bug.cgi?id=17960

- http://www.proftpd.org/docs/RELEASE_NOTES-1.3.5b

- https://lists.fedoraproject.org/pipermail/package-announc...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3125


SRPMS:
- 5/core/proftpd-1.3.5b-1.mga5
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds