--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-848e410cfb
2019-10-28 01:38:47.888985
--------------------------------------------------------------------------------
Name : proftpd
Product : Fedora 31
Version : 1.3.6b
Release : 1.fc31
URL :
http://www.proftpd.org/
Summary : Flexible, stable and highly-configurable FTP server
Description :
ProFTPD is an enhanced FTP server with a focus toward simplicity, security,
and ease of configuration. It features a very Apache-like configuration
syntax, and a highly customizable server infrastructure, including support for
multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory
visibility.
This package defaults to the standalone behavior of ProFTPD, but all the
needed scripts to have it run by systemd instead are included.
--------------------------------------------------------------------------------
Update Information:
This is a cumulative bug-fix update from upstream, including a fix for a pre-
authentication remote denial of service issue.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Oct 20 2019 Paul Howarth <paul(a)city-fan.org> - 1.3.6b-1
- Update to 1.3.6b
- Fixed pre-authentication remote denial-of-service issue
(
https://github.com/proftpd/proftpd/issues/846)
* Sun Oct 13 2019 Paul Howarth <paul(a)city-fan.org> - 1.3.6a-1
- Update to 1.3.6a
- Configure script wrongly detected AIX lastlog functions
(
http://bugs.proftpd.org/show_bug.cgi?id=4304)
- AllowChrootSymlinks off could cause login failures depending on filesystem
permissions (
http://bugs.proftpd.org/show_bug.cgi?id=4306)
- mod_ctrls: error: unable to bind to local socket: Address already in use
(
https://github.com/proftpd/proftpd/issues/501)
- Failed to handle multiple %{env:...} variables in single word in
configuration (
https://github.com/proftpd/proftpd/issues/507)
- mod_sftp failed to check shadow password information when publickey
authentication used (
http://bugs.proftpd.org/show_bug.cgi?id=4308)
- Use of "AllowEmptyPasswords off" broke SFTP/SCP logins
(
http://bugs.proftpd.org/show_bug.cgi?id=4309)
- Use of mod_facl as static module caused ProFTPD to die on SIGHUP/restart
(
http://bugs.proftpd.org/show_bug.cgi?id=4310)
- Use of curve25519-sha256(a)libssh.org SSH2 key exchange sometimes failed
(
https://github.com/proftpd/proftpd/issues/556)
- Close extra file descriptors at startup
(
http://bugs.proftpd.org/show_bug.cgi?id=4312)
- <Anonymous> with AuthAliasOnly in effect did not work as expected
(
http://bugs.proftpd.org/show_bug.cgi?id=4314)
- CreateHome NoRootPrivs only worked partially
(
https://github.com/proftpd/proftpd/issues/568)
- SFTP OPEN response included attribute flags that are not actually provided
(
https://github.com/proftpd/proftpd/issues/578)
- Truncation of file while being downloaded with sendfile enabled caused
timeouts due to infinite loop (
http://bugs.proftpd.org/show_bug.cgi?id=4318)
- FTP uploads frequently broke due to "Interrupted system call" error
(
http://bugs.proftpd.org/show_bug.cgi?id=4319)
- Site-to-site transfers over TLS failed
(
https://github.com/proftpd/proftpd/issues/618)
- Can't see symlinks using any FTP client when using MLSD
(
http://bugs.proftpd.org/show_bug.cgi?id=4322)
- mod_tls 1.3.6 failed to compile using OpenSSL 0.9.8e
(
http://bugs.proftpd.org/show_bug.cgi?id=4325)
- Using MaxClientsPerHost 1 in <Anonymous> section denied logins
(
http://bugs.proftpd.org/show_bug.cgi?id=4326)
- SQLNamedConnectInfo with different backend database did not work properly
(
https://github.com/proftpd/proftpd/issues/642)
- Segfault with mod_sftp+mod_sftp_pam after successful authentication using
keyboard-interactive method (
https://github.com/proftpd/proftpd/issues/656)
- autoconf always failed to detect support for FIPS
(
https://github.com/proftpd/proftpd/issues/660)
- SFTP connections failed when using "arcfour256" cipher
(
https://github.com/proftpd/proftpd/issues/663)
- mod_auth_otp failed to build with OpenSSL 1.1.x
(
http://bugs.proftpd.org/show_bug.cgi?id=4335)
- scp broken on FreeBSD 11 (
http://bugs.proftpd.org/show_bug.cgi?id=4341)
- Update mod_sftp to handle changed APIs in OpenSSL 1.1.x releases
(
https://github.com/proftpd/proftpd/issues/674)
- Infinite loop possible in mod_sftp's set_sftphostkey() function
(
http://bugs.proftpd.org/show_bug.cgi?id=4356)
- Some ASCII text files corrupted when downloading
(
http://bugs.proftpd.org/show_bug.cgi?id=4352)
- Properly use the --includedir, --libdir configure variables in the
generated proftpd.pc pkgconfig file
(
https://github.com/proftpd/proftpd/issues/797)
- Reading invalid SSH key from database resulted in unexpected/unlogged
disconnect failures (
http://bugs.proftpd.org/show_bug.cgi?id=4350)
- Symlink navigation broken after 1.3.6 update
(
http://bugs.proftpd.org/show_bug.cgi?id=4332)
- Unable to connect to ProFTPD using TLSSessionTickets and TLSv1.3
(
https://github.com/proftpd/proftpd/issues/795)
- SITE CPFR/CPTO did not honor <Limit> configurations
(
http://bugs.proftpd.org/show_bug.cgi?id=4372)
- Using "TLSProtocol SSLv23" did not enable all protocol versions
(
https://github.com/proftpd/proftpd/issues/807)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1764415 - CVE-2019-18217 proftpd: denial of service due to incorrect handling
of long command
https://bugzilla.redhat.com/show_bug.cgi?id=1764415
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-848e410cfb' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------