User: Password:
Subscribe / Log in / New account

Fedora alert FEDORA-2010-17098 (proftpd)

Subject:  [SECURITY] Fedora 13 Update: proftpd-1.3.3c-1.fc13
Date:  Wed, 10 Nov 2010 21:46:59 +0000
Message-ID:  <>
Archive-link:  Article, Thread

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-17098 2010-11-02 21:38:38 -------------------------------------------------------------------------------- Name : proftpd Product : Fedora 13 Version : 1.3.3c Release : 1.fc13 URL : Summary : Flexible, stable and highly-configurable FTP server Description : ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by xinetd instead are included. -------------------------------------------------------------------------------- Update Information: This is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system. * A logic error in the code for processing user input containing the Telnet IAC (Interpret As Command) escape sequence can be exploited to cause a stack-based buffer overflow by sending specially crafted input to the FTP or FTPS service. Successful exploitation may allow execution of arbitrary code. This has been assigned the name CVE-2010-4221. More details can be found at * An input validation error within the "mod_site_misc" module can be exploited to e.g. create and delete directories, create symlinks, and change the time of files located outside a writable directory. Only configurations using "mod_site_misc", which is not enabled by default, and where the attacker has write access to a directory, are vulnerable to this issue, which has been assigned CVE-2010-3867. More details can be found at This update also fixes an issue with SQLite authentication and adds a new module "mod_geoip", which can be used to look up geographical information on connecting clients and use that to set access controls for the server. -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 1 2010 Paul Howarth <> 1.3.3c-1 - Update to 1.3.3c (#647965) - Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925) - Fixed directory traversal bug in mod_site_misc (CVE-2010-3867) - Fixed SQLite authentications using "SQLAuthType Backend" - New DSO module: mod_geoip * Fri Sep 10 2010 Paul Howarth <> 1.3.3b-1 - Update to 1.3.3b - Fixed SFTP directory listing bug - Avoid corrupting utmpx databases on FreeBSD - Avoid null pointer dereferences during data transfers - Fixed "AuthAliasOnly on" anonymous login * Fri Jul 2 2010 Paul Howarth <> 1.3.3a-1 - Update to 1.3.3a - Added Japanese translation - Many mod_sftp bugfixes - Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later - Fixed handling of utmp/utmpx format changes on FreeBSD -------------------------------------------------------------------------------- References: [ 1 ] Bug #651607 - CVE-2010-4221 proftpd: multiple stack-based buffer overflows in pr_netio_telnet_gets() [ 2 ] Bug #651602 - CVE-2010-3867 proftpd: multiple directory traversal vulnerabilities -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update proftpd' at the command line. For more information, refer to "Managing Software with yum", available at All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list

(Log in to post comments)

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds