[SECURITY] Fedora 20 Update: proftpd-1.3.4e-3.fc20

updates at fedoraproject.org updates at fedoraproject.org
Sun May 3 17:25:18 UTC 2015


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-6401
2015-04-18 05:44:50
--------------------------------------------------------------------------------

Name        : proftpd
Product     : Fedora 20
Version     : 1.3.4e
Release     : 3.fc20
URL         : http://www.proftpd.org/
Summary     : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.

This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by xinetd instead are included.

--------------------------------------------------------------------------------
Update Information:

Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by *unauthenticated clients*

Upstream report:
http://bugs.proftpd.org/show_bug.cgi?id=4169

This update contains a backported fix for this issue.

Note that mod_copy is not loaded/enabled by default in the Fedora package.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr 23 2015 Paul Howarth <paul at city-fan.org> - 1.3.4e-3
- Fix failure to load mod_copy by removing references to function that has not
  been backported
* Wed Apr 15 2015 Paul Howarth <paul at city-fan.org> - 1.3.4e-2
- Unauthenticated copying of files via SITE CPFR/CPTO was allowed by mod_copy
  (CVE-2015-3306, http://bugs.proftpd.org/show_bug.cgi?id=4169)
- Fix wrong size in memset in mod_sftp_pam causing compiler warning
* Mon Feb 16 2015 Paul Howarth <paul at city-fan.org> - 1.3.4e-1
- Update to 1.3.4e
  - Fixed numerous upstream-reported bugs:
    - Spurious log messages at session close (bug 3945)
    - LogFormat %f variable not resolved properly for SFTP renames (bug 3947)
    - mod_delay allows too-large values, leading to client hang on
      authentication (bug 3858)
    - Null pointer dereference for mod_ldap logins when LDAPDefaultAuthScheme
      not configured (bug 3951)
    - scp downloads result in segfault (bug 3954)
    - ProFTPD configuration with thousands of <Directory>/<Limit> sections
      leads to slow logins (bug 3957)
    - mod_sftp does not honor <Directory>/<Limit> sections when symlinks are
      involved (bug 3959)
    - Directory creation does not honor single-parameter Umask setting
      (bug 3958)
    - Directory creation fails (chmod(2) EPERM) when root privs are used in
      some cases (bug 3962)
    - Authentication error on Cygwin due to bad code (bug 3972)
    - mod_sftp can be forced to allocate too much memory for
      keyboard-interactive authentication (bug 3973, CVE-2013-4359)
    - PathDenyFilter directive does not work as expected for SFTP sessions
      (bug 3974)
    - Improve permission setting when creating directories (bug 3963)
    - Null pointer dereference in mod_exec with ExecOption useStdin (bug 3981)
    - Support filesystems that do not support chmod(2)/chown(2), e.g. FAT/ExFAT
      (bug 3986)
    - SSL session caching modules use incorrect OpenSSL cache mode flags,
      breaking session caching (bug 3991)
    - ProFTPD should not use fd 2 (stderr) for files (bug 3970)
    - RSA signature issue when connecting using PuTTY/WinSCP (bug 3992)
    - mod_sftp fails key exchange for 8192-bit DH group (bug 4001)
    - IgnoreSCPUploadPerms SFTPOption not honored properly for SCP directory
      upload (bug 4004)
    - RADIUS "service-type" attribute encoded with wrong length on 64-bit
      system (bug 4006)
    - SCP upload of shorter file does not completely overwrite existing file of
      same name (bug 4013)
    - "Directory not empty" error when creating directory is misleading
      (bug 4022)
    - Restarting proftpd with mod_sftp fails due to permissions on SFTPHostKey
      file (bug 4032)
    - SSH publickey authentication fails with "MaxLoginAttempts 1" (bug 4034)
    - ALLO command failed because of bad size check (bug 4046)
    - Race condition in mod_ban can lead to segfault of all new connections
      (bug 4048)
    - MIC command between RNFR and RNTO should not be rejected (bug 4042)
    - mod_facl prevents a normal SIGHUP reload (bug 4044)
- Drop patches for issues resolved in new upstream release
- Anonymous upload directory specification needs to be slightly different if
  mod_vroot is in use (#1045922)
  http://sourceforge.net/p/proftp/mailman/message/31728570/
- Backport some changes from upstream's 1.3.5 release to get the API tests to
  build
- Use %license where possible
* Fri Dec 20 2013 Paul Howarth <paul at city-fan.org> 1.3.4d-5
- Fix support for 8192-bit DH parameters (#1044586)
- Add 3072-bit and 7680-bit DH parameters (upstream bug 4002)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1212386 - CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy
        https://bugzilla.redhat.com/show_bug.cgi?id=1212386
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update proftpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list