|
|
Subscribe / Log in / New account

SUSE alert openSUSE-SU-2025:0315-1 (proftpd)



From:
              opensuse-security@opensuse.org


To:
              security-announce@lists.opensuse.org


Subject:
              openSUSE-SU-2025:0315-1: important: Security update for proftpd


Date:
              Mon, 25 Aug 2025 15:05:03 +0200


Message-ID:
              <20250825130503.CD265FF2E@maintenance.suse.de>


Archive-link:
              Article



   openSUSE Security Update: Security update for proftpd
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2025:0315-1
Rating:             important
References:         #1233997 #1236889 
Cross-References:   CVE-2024-48651 CVE-2024-57392
CVSS scores:
                    CVE-2024-48651 (SUSE): 8.2
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
                    CVE-2024-57392 (SUSE): 5.7
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products:
                    openSUSE Backports SLE-15-SP6
                    openSUSE Backports SLE-15-SP7
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for proftpd fixes the following issues:

   - CVE-2024-57392: Null pointer dereference vulnerability by sending a
     maliciously crafted message (boo#1236889).
   - CVE-2024-48651: Supplemental group inheritance grants unintended access
     to GID 0 (boo#1233997).


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP7:

      zypper in -t patch openSUSE-2025-315=1

   - openSUSE Backports SLE-15-SP6:

      zypper in -t patch openSUSE-2025-315=1



Package List:

   - openSUSE Backports SLE-15-SP7 (aarch64 i586 ppc64le s390x x86_64):

      proftpd-1.3.8d-bp157.2.3.1
      proftpd-debuginfo-1.3.8d-bp157.2.3.1
      proftpd-debugsource-1.3.8d-bp157.2.3.1
      proftpd-devel-1.3.8d-bp157.2.3.1
      proftpd-doc-1.3.8d-bp157.2.3.1
      proftpd-ldap-1.3.8d-bp157.2.3.1
      proftpd-ldap-debuginfo-1.3.8d-bp157.2.3.1
      proftpd-mysql-1.3.8d-bp157.2.3.1
      proftpd-mysql-debuginfo-1.3.8d-bp157.2.3.1
      proftpd-pgsql-1.3.8d-bp157.2.3.1
      proftpd-pgsql-debuginfo-1.3.8d-bp157.2.3.1
      proftpd-radius-1.3.8d-bp157.2.3.1
      proftpd-radius-debuginfo-1.3.8d-bp157.2.3.1
      proftpd-sqlite-1.3.8d-bp157.2.3.1
      proftpd-sqlite-debuginfo-1.3.8d-bp157.2.3.1

   - openSUSE Backports SLE-15-SP7 (noarch):

      proftpd-lang-1.3.8d-bp157.2.3.1

   - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

      proftpd-1.3.8d-bp156.2.6.1
      proftpd-devel-1.3.8d-bp156.2.6.1
      proftpd-doc-1.3.8d-bp156.2.6.1
      proftpd-ldap-1.3.8d-bp156.2.6.1
      proftpd-mysql-1.3.8d-bp156.2.6.1
      proftpd-pgsql-1.3.8d-bp156.2.6.1
      proftpd-radius-1.3.8d-bp156.2.6.1
      proftpd-sqlite-1.3.8d-bp156.2.6.1

   - openSUSE Backports SLE-15-SP6 (noarch):

      proftpd-lang-1.3.8d-bp156.2.6.1


References:

   https://www.suse.com/security/cve/CVE-2024-48651.html
   https://www.suse.com/security/cve/CVE-2024-57392.html
   https://bugzilla.suse.com/1233997
   https://bugzilla.suse.com/1236889
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds