-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-bfacf1e958 2019-12-08 01:16:01.293717 --------------------------------------------------------------------------------
Name : proftpd Product : Fedora 31 Version : 1.3.6b Release : 2.fc31 URL : http://www.proftpd.org/ Summary : Flexible, stable and highly-configurable FTP server Description : ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility.
This package defaults to the standalone behavior of ProFTPD, but all the needed scripts to have it run by systemd instead are included.
-------------------------------------------------------------------------------- Update Information:
This update addresses a number of bugs affecting processing of CRLs in mod_tls, including possible null pointer dereferences and missing some checks. Thanks to Lionel Debroux for reporting them. -------------------------------------------------------------------------------- ChangeLog:
* Fri Nov 29 2019 Paul Howarth paul@city-fan.org - 1.3.6b-2 - Fix handling of CRL lookups by properly using issuer for lookups, and guarding against null pointers (GH#859, GH#861, CVE-2019-19269) * Sun Oct 20 2019 Paul Howarth paul@city-fan.org - 1.3.6b-1 - Update to 1.3.6b - Fixed pre-authentication remote denial-of-service issue (CVE-2019-18217, https://github.com/proftpd/proftpd/issues/846) * Sun Oct 13 2019 Paul Howarth paul@city-fan.org - 1.3.6a-1 - Update to 1.3.6a - Configure script wrongly detected AIX lastlog functions (http://bugs.proftpd.org/show_bug.cgi?id=4304) - AllowChrootSymlinks off could cause login failures depending on filesystem permissions (http://bugs.proftpd.org/show_bug.cgi?id=4306) - mod_ctrls: error: unable to bind to local socket: Address already in use (https://github.com/proftpd/proftpd/issues/501) - Failed to handle multiple %{env:...} variables in single word in configuration (https://github.com/proftpd/proftpd/issues/507) - mod_sftp failed to check shadow password information when publickey authentication used (http://bugs.proftpd.org/show_bug.cgi?id=4308) - Use of "AllowEmptyPasswords off" broke SFTP/SCP logins (http://bugs.proftpd.org/show_bug.cgi?id=4309) - Use of mod_facl as static module caused ProFTPD to die on SIGHUP/restart (http://bugs.proftpd.org/show_bug.cgi?id=4310) - Use of curve25519-sha256@libssh.org SSH2 key exchange sometimes failed (https://github.com/proftpd/proftpd/issues/556) - Close extra file descriptors at startup (http://bugs.proftpd.org/show_bug.cgi?id=4312) - <Anonymous> with AuthAliasOnly in effect did not work as expected (http://bugs.proftpd.org/show_bug.cgi?id=4314) - CreateHome NoRootPrivs only worked partially (https://github.com/proftpd/proftpd/issues/568) - SFTP OPEN response included attribute flags that are not actually provided (https://github.com/proftpd/proftpd/issues/578) - Truncation of file while being downloaded with sendfile enabled caused timeouts due to infinite loop (http://bugs.proftpd.org/show_bug.cgi?id=4318) - FTP uploads frequently broke due to "Interrupted system call" error (http://bugs.proftpd.org/show_bug.cgi?id=4319) - Site-to-site transfers over TLS failed (https://github.com/proftpd/proftpd/issues/618) - Can't see symlinks using any FTP client when using MLSD (http://bugs.proftpd.org/show_bug.cgi?id=4322) - mod_tls 1.3.6 failed to compile using OpenSSL 0.9.8e (http://bugs.proftpd.org/show_bug.cgi?id=4325) - Using MaxClientsPerHost 1 in <Anonymous> section denied logins (http://bugs.proftpd.org/show_bug.cgi?id=4326) - SQLNamedConnectInfo with different backend database did not work properly (https://github.com/proftpd/proftpd/issues/642) - Segfault with mod_sftp+mod_sftp_pam after successful authentication using keyboard-interactive method (https://github.com/proftpd/proftpd/issues/656) - autoconf always failed to detect support for FIPS (https://github.com/proftpd/proftpd/issues/660) - SFTP connections failed when using "arcfour256" cipher (https://github.com/proftpd/proftpd/issues/663) - mod_auth_otp failed to build with OpenSSL 1.1.x (http://bugs.proftpd.org/show_bug.cgi?id=4335) - scp broken on FreeBSD 11 (http://bugs.proftpd.org/show_bug.cgi?id=4341) - Update mod_sftp to handle changed APIs in OpenSSL 1.1.x releases (https://github.com/proftpd/proftpd/issues/674) - Infinite loop possible in mod_sftp's set_sftphostkey() function (http://bugs.proftpd.org/show_bug.cgi?id=4356) - Some ASCII text files corrupted when downloading (http://bugs.proftpd.org/show_bug.cgi?id=4352) - Properly use the --includedir, --libdir configure variables in the generated proftpd.pc pkgconfig file (https://github.com/proftpd/proftpd/issues/797) - Reading invalid SSH key from database resulted in unexpected/unlogged disconnect failures (http://bugs.proftpd.org/show_bug.cgi?id=4350) - Symlink navigation broken after 1.3.6 update (http://bugs.proftpd.org/show_bug.cgi?id=4332) - Unable to connect to ProFTPD using TLSSessionTickets and TLSv1.3 (https://github.com/proftpd/proftpd/issues/795) - SITE CPFR/CPTO did not honor <Limit> configurations (http://bugs.proftpd.org/show_bug.cgi?id=4372) - Using "TLSProtocol SSLv23" did not enable all protocol versions (https://github.com/proftpd/proftpd/issues/807) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1777975 - CVE-2019-19269 proftpd: NULL pointer dereference when validating the certificate of a client connecting to the server https://bugzilla.redhat.com/show_bug.cgi?id=1777975 [ 2 ] Bug #1778258 - CVE-2019-19270 proftpd: failure to check for the appropriate field of a CRL entry prevents some valid CRLs from being taken into account https://bugzilla.redhat.com/show_bug.cgi?id=1778258 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-bfacf1e958' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------