Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237533
Summary: CVE-2007-2165: proftpd auth bypass vulnerability Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: high Component: proftpd AssignedTo: matthias@rpmforge.net ReportedBy: ville.skytta@iki.fi QAContact: extras-qa@fedoraproject.org CC: fedora-security-list@redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2165 http://bugs.proftpd.org/show_bug.cgi?id=2922
"The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd."
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237533
matthias@rpmforge.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED
------- Additional Comments From matthias@rpmforge.net 2007-06-15 11:41 EST ------- Still no backport of the patch to the stable 1.3.0a release. It's pretty annoying, since the patch against the latest RC doesn't apply cleanly because of variable name changes. I tried to backport it, but the risk in _me_ doing so is just too high.
I really don't understand how/why projects decide to not provide security patches for what they consider to be the current stable release... I'm going to push new proftpd packages anyway, to fix bug #244168 but not this bug, unfortunately :-(
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237533
bugzilla@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Product|Fedora Extras |Fedora
------- Additional Comments From matthias@rpmforge.net 2007-08-19 12:22 EST ------- Still no patches backported to 1.3.0a, so I've at least pushed 1.3.1rc3 to devel (F8) since it fixes all know vulnerabilities, and should be more than stable enough for inclusion. Maybe later backporting it to all current releases would make sense...
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=237533
kevin@tummy.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |kevin@tummy.com
------- Additional Comments From kevin@tummy.com 2007-09-13 20:11 EST ------- Any further news here?
Also, if the 1.3.1rc3 is working fine in devel, would you consider pushing to epel? or is it too disruptive going from 1.3.0a to 1.3.1rc3?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=237533
------- Additional Comments From matthias@rpmforge.net 2007-10-09 13:51 EST ------- I've updated devel to 1.3.1 final, now that it's out. I don't think updating from 1.3.0 to 1.3.1 is too disruptive, but I'm not sure it won't break on some complex setups...
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=237533
------- Additional Comments From matthias@rpmforge.net 2007-10-22 10:37 EST ------- I've had no reports of any problems with 1.3.1, so I'll push it in F-7 testing updates. If everything looks good once it's there, then it should be possible to push it to stable.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=237533
------- Additional Comments From updates@fedoraproject.org 2007-10-24 03:05 EST ------- proftpd-1.3.1-2.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update proftpd'
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=237533
------- Additional Comments From updates@fedoraproject.org 2007-11-05 10:10 EST ------- proftpd-1.3.1-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=237533
updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |ERRATA Fixed In Version| |1.3.1-2.fc7
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=237533
lkundrak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |ASSIGNED Keywords| |Reopened Resolution|ERRATA | Version|fc6 |f8test3
------- Additional Comments From lkundrak@redhat.com 2007-11-05 10:57 EST ------- Reopening for Werewolf.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability Alias: CVE-2007-2165
https://bugzilla.redhat.com/show_bug.cgi?id=237533
lkundrak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2007-2165
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability Alias: CVE-2007-2165
https://bugzilla.redhat.com/show_bug.cgi?id=237533
lkundrak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn| |367431
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability Alias: CVE-2007-2165
https://bugzilla.redhat.com/show_bug.cgi?id=237533
lkundrak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn|367431 |
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability Alias: CVE-2007-2165
https://bugzilla.redhat.com/show_bug.cgi?id=237533
lkundrak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn| |367431
Bug 237533 depends on bug 367431, which changed state.
Bug 367431 Summary: CVE-2007-2165: proftpd auth bypass vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=367431
What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NOTABUG
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability Alias: CVE-2007-2165
https://bugzilla.redhat.com/show_bug.cgi?id=237533
lkundrak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn|367431 |
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability Alias: CVE-2007-2165
https://bugzilla.redhat.com/show_bug.cgi?id=237533
bugzilla@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|f8test3 |8
------- Additional Comments From matthias@rpmforge.net 2008-02-03 12:37 EST ------- I'm confused. The package in F-7 updates has been newer than that one in F-8 for ages, and I haven't received any nag mails about it. Still they're all 1.3.1, so the security fix is included. Nevertheless, I'll be pushing 1.3.1-3 as an F-8 update.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability Alias: CVE-2007-2165
https://bugzilla.redhat.com/show_bug.cgi?id=237533
------- Additional Comments From kevin@tummy.com 2008-02-03 12:41 EST ------- How about also updating EPEL-5 too? It has version 1.3.0a still...
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability Alias: CVE-2007-2165
https://bugzilla.redhat.com/show_bug.cgi?id=237533
------- Additional Comments From matthias@rpmforge.net 2008-02-03 12:47 EST ------- (In reply to comment #10)
How about also updating EPEL-5 too? It has version 1.3.0a still...
Ouch, you're absolutely right! I'll do that now. I still can't reproduce the EL-4 build failure from bug #250223 on my machine, so I think I'll give up on EL-4 proftpd, though.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability Alias: CVE-2007-2165
https://bugzilla.redhat.com/show_bug.cgi?id=237533
matthias@rpmforge.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |CURRENTRELEASE
------- Additional Comments From matthias@rpmforge.net 2008-02-03 13:12 EST ------- Both EL-5 and EL4 build fine, so those are updated too now.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2165: proftpd auth bypass vulnerability Alias: CVE-2007-2165
https://bugzilla.redhat.com/show_bug.cgi?id=237533
------- Additional Comments From updates@fedoraproject.org 2008-07-30 16:09 EST ------- proftpd-1.3.1-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
security@lists.fedoraproject.org